Understanding Proactive Cyber Security
In today’s growing digital marketspace, we are seeing a near continuous emergence of Small and Medium Sized Enterprises (SMEs) that are leveraging on the Internet-of-Things (IoT) to empower their corporate operations. The increased digital integration of corporate activities (i.e. asset management, marketing) empowered by enterprise solutions leveraging the IoT backbone have led to the rapid expansion of third-party partnerships, and opened many local businesses to the global marketspace. This results in highly complex digital ecosystems in the even larger nexus of other corporate and personal networks forming the IoT landscape.
In terms of data, network complexity, applications and corporate processes, we are seeing unprecedented levels of hyperconnectivity linking enterprises of all sizes across international borders. While this is undoubedtly a positive direction within business development perspectives, the same cannot necessarily be said within security contexts, which is stuck within a perpetually reactive posture against increasingly sophisticated and adaptive threats. However, why are we here and what can be done to improve our situation?
Understanding Cyber Security
Before moving onto answering those questions, everyone needs to be on the same page about what is cyber security. Well, newsflash! Its is not some new mystical security concern, but simply age-old security issues replicated under a new medium.
A somewhat obvious indicator of this is the application of conventional security terminologies within cyber security discussions, such as Intrusion and Defense-in-Depth as outlined in the NIST ‘Glossary of Key Information Security Terms’. In broader international security contexts, cyber security refers to all defensive operations conducted within cyber space, otherwise known as the Fifth domain of Warfare alongside the other domains of Land, Sea, Air, and Space. Most state-level cyber operations are often designed to complement conventional security operations conducted in other domains. In the bluntest terms, security objectives don’t change but are simply adapted to fit various operational environments — formerly known as battlespace.
Pulling back into corporate civilian contexts, cyber security refers to the protection of all assets — such as connections and contents — within a specific computer network. While this definition is technically accurate towards addressing attack vectors like malicious code injections, it fails to consider the human dimensions that are often exploited by attackers through social engineering (i.e. Phishing) supporting the initial intrusion into a victim’s network.
Therefore, cyber security should be understood as a multifaceted security challenge requiring a combination of different expertise to address both the technical and human elements within. Taking these elements into consideration, cyber security should be defined as the securitization of all human and technological elements forming the near-infinite digital domain known as cyber space. It is important to understand cyber security from such perspectives because the prime directive is the act of protecting a technical target that facilitates any corporate objective.
Why Are We Here?
Now that we have cultivated an understanding of what cyber security is, let us explore why the enterprise security landscape is in its current lopsided state.
Our corporate aspirations to rapidly engage societal gaps through a business model or solution has arguably created a lopsided security landscape where security practitioners are forced into a reactive posture, needing to constantly respond to vulnerabilities which could have been detected and rectified from a pre-release security audit. As we have seen over the latter half of 2017, some enterprises (i.e. Uber & oBike) recently experienced varying degrees of cyber attacks that originated from missed vulnerabilities within the expansive corporate network, thus showing that even large digitally integrated enterprises are operating — or contributing — to this state of enterprise security.
Whilst there are other reasons for the current reactive security postures, such as societal awareness/education, the zealotry nature fueling corporate aspirations undoubtedly are a contributing element. Within a product/service development lifecycle, security has always been a latter consideration and sometimes even subsumed as a final stage consideration under ‘support’ contexts. In an era where more products, ranging from toys to critical medical devices, are leveraging upon the IoT landscape, this should no longer be the case. Attackers are becoming increasingly adaptive and sophisticated. Thus, we need to adopt a proactive posture towards identifying vulnerabilities and managing risks attributed to the early stages of product development.
Understanding the Challenge
Accomplishing this requires a host of advanced skills ranging from technical (i.e. Penetration Testing & Malware Analysis), intelligence (i.e. Criminological and Behavioural Science), risk management, and strategic planning (i.e. Product/Service Development) domains. The simplest way towards understanding how we can change this is to first acknowledge what kind of a challenge — that being cyber security — it really is within enterprise contexts.
When talking about cyber security amongst industries, most assign it under the domain of responsibility of either the corporate leadership or the security community — they are both actually correct. The unfortunate truth here is that the ramifications of a cyber attack, such as monetary and reputational losses, are indeed corporate concerns, However, the means and processes of which how such losses are mitigated are irrefutably a responsibility for the security community. Bluntly put, companies need to understand that cyber security is neither an exclusive security nor corporate requirement, but a combination of both under a singular requirement of enterprise survivability.
What constitutes a Proactive cyber security posture?
In simplistic terms, it refers to the ability towards operating in anticipation of a potential attack on a computer network. In contrast to more conventionally reactive approaches, this requires consistent testing and upgrading of your security capabilities to comprehensively deter advanced specialised threats towards an enterprise network. Putting this into context, should any corporate process change, relevant security processes must actively change alongside it — and vica versa.
Through accepting the conceptual perspective of cyber security being a hybridized challenge requiring consistent communication between corporate and security suites is the first step towards cultivating a proactive approach towards protecting your enterprise. Moving forward, enterprises can choose to develop security processes and capabilities in-house, or through entering into a partnership with a trusted security provider.
