Christopher Wright, author of Fundamentals of Information Security Risk Management Auditing, and “Agile Governance and Audit” discusses the flexible approach organisations should take to combat cyber threats.
The National Crime Agency (NCA) recently published its Cyber Crime Assessment for 2016. From this report, it is clear that cyber criminals are agile in their response to new and emerging criminal opportunities, becoming “both more aggressive and technically proficient”, with business-like organisational structures and access to extremely specialist skills (including ‘malware as a service’ and use of encryption to hide fraud).
The BBC reported that the criminals are currently winning the ‘cyber arms race’ despite an increase in the availability and use of countermeasures from the government, business and law enforcement sectors.
The challenge is to go beyond simple compliance – our comfort zone – to be able to respond more rapidly to newly developing threats as they emerge. Such an approach needs to rely on behavioural and management changes across whole organisations, as well as implementing new technology and security responses.
The Cyber Essentials scheme has gone a long way to improve awareness, particularly for smaller businesses, but there is still much to do.
We must be more agile by applying the principles of the Agile Manifesto:
- Placing more emphasis on individuals and interactions
Tools and processes are important, but they are frequently circumvented by human behaviour – not just for nefarious reasons but sometimes simply to take short cuts or get the job done. How often have we found, for example, organisations lock down USB ports and soon their users find other ways of transferring large amounts of data. Tools alone are not sufficient. The bad guys get hold of them just as quickly and find new vulnerabilities – creating new threats within days of release for security patches or online games.
- Focusing on software packages that are secure and work
We need to be more proactive. Rather than waiting until software has been published and then performing a pen test, we need to ensure that application developers understand the threat and use accepted standards (OWASP, etc.) to build code that will not be open to vulnerabilities. Getting it right first time is far better than trying to patch and fix code after the event.
The real test is does the software work and is it secure? To achieve this we may need to provide help and advice at the design stage (e.g. by defining user stories or nonfunctional requirements for security features).
- Customer collaboration over contract negotiations
Many of the projects I have been involved with include external software developers – often offshore. Even where contracts include specific cyber security requirements (and, believe me, not all of them do!), when things go wrong the remedies often involve financial penalties and long, drawn-out arguments, possibly in the public domain. Would it not be better to work together, gaining benefit from the supplier’s skills and experience, to build reliable secure solutions?
- Responding to change
To start to win the cyber arms race, we need to be more flexible and responsive – yes, we need to be more agile. I realise that this could be seen as controversial by some, but we need to move on from our role as watchdogs – saying “Yes, that threat (or iceberg) is getting bigger” – to a position where we can guide our organisations to safer ground using our skills, tools and processes to best effect. Meanwhile, the bad guys are not busy building abstract processes and tools, or writing comprehensive documentation/negotiating contracts or following a long-term plan: they are busy developing new threats and making more money.
Agile should be seen as an opportunity for IT security professionals, not as a threat. Let’s get agile, innovative, pro-active and imaginative – just like our enemy does.
Read more about the principles of Agile and how it can benefit your organisation in Chris’s bestselling title, Agile Governance and Audit.