These days, IT security officers are busier than ever. Attacks on companies of all kinds are becoming more and more sophisticated and diverse. Business dependence on functional IT systems is generally on the increase. And the risks to finances and reputations – for example, due to a leak of sensitive data – are increasing in parallel. At the same time, the IT landscape that needs to be secured is becoming more complex and networked, which in turn affects the number of hypothetical and practical attack scenarios. Keeping up with this situation requires building up as complete a picture of suitable responses as possible, systematically and based on risk analysis, and implementing it along the time axis in a prioritised way. A variety of frameworks are available for this kind of ‘cyber security roadmap’ – for example, NIST, ISO or CIS.
Achieving the right balance of outsourcing and internal expertise
The timing of implementation is critical for every cyber security roadmap. After all, the object is to minimise the window for catastrophic attacks and damage that, because of insufficient checks, could be considered negligent. Of course, the vast majority of businesses run into the obstacles of limited funds and personnel. Outsourcing some tasks is an obvious solution wherever a mature service can simply be purchased and quickly implemented. Economies of scale and offshoring offer opportunities to save on initial investments and personnel costs. On the other hand, outsourcing also has disadvantages that should be assessed realistically. Otherwise, the overall level of protection may actually fall rather than rise. A few examples:
- Every additional outsourcing partner increases the complexity of the cyber security supply chain. What is generally true of supply chain attacks applies here, too.
- Outsourcing partners often obtain very valuable information about the internal infrastructure of a company, a prerequisite for any higher-grade attack. If, for example, the young OT security monitoring company in the offshore location advertises that it’s handling both the asset inventory and vulnerability management on the shop floor for you, then this company can gather very sensitive information about the vulnerability of your infrastructure. Whether the service provider – or whatever company may take it over in a few years – is trustworthy or even capable of protecting your data can be difficult if not impossible to determine.
- While cyber security outsourcers like SOCs can offer a huge advantage by finding correlations in attack patterns among their various customers, they typically possess very little contextual information about your internal IT and your business processes that would allow them to place attack patterns within a bigger picture for you. In this case, it is important that the process design allows for close collaboration with your internal specialists.
- Distributing your cyber security outsourcing among multiple service providers results in potential media and information gaps that make it difficult to get an overview and assessment of the situation and any useful countermeasures.
- Outsourcing of cyber security controls can become counter-productive, at least for medium-sized and large companies, if the development of internal expertise and specialist personnel is neglected and the in-house connection to the business IT and OT is lost. Finding the right balance is important.
Think agile, like attackers
Another factor that should be considered for an effective cyber security roadmap is the dynamism of the environment, which should allow priorities to be redefined at any time. When adversaries undertake a targeted attack, they don’t care how much money your company has sunk into its defences. They focus on the overlooked gaps. As Kevin Mitnick, a well-known hacker and later security consultant, says: ‘You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.’ To find and close these gaps, you have to constantly compare current attack scenarios to your own defences and search for vulnerabilities. Taking the attacker’s point of view often helps you find blank spots that can be remedied at a manageable cost, ensuring that you detect attacks early or defend against them better. But for this you need security specialists who not only have a good overview of your company but who are also given the scope to constantly keep up to date and share information with other experts in trusted groups. As a CERT with 25 years of experience in trusted community management, we consider regular, active information sharing at the highest level of confidence to be one of the most effective means of keeping cyber defence in step with attackers.
Conclusion
Because of the complexity of the initial situation, companies need to be highly systematic and thorough in their approach to cyber security projects, using risk analysis and cyber security roadmaps. Outsourcing is often a reasonable way of achieving the required speed and cost efficiency during implementation, but it entails risks and limitations that should not be ignored. You also need to account for the dynamism of attackers, which calls for a certain agility in implementing defences. Internal security experts are a critical factor in detecting and defending against complex attacks in good time. They need to have a good operational overview of their own company and a network of trusted peers.
