Do techies really understand cyber risk?
The question came up after reading two recent papers published by sources you would expect to have more authority on the matter.
Cybersecurity Involves the Whole Business
Lockheed Martin, the Bethesda, Md.-based global security and aerospace consultancy and solutions provider, has positioned itself as an expert in the cybersecurity area. Its Practical Guide to Measuring Cyber Resiliency and Effectiveness (registration) published earlier this year provides some value, but also some major issues.
The authors suggest a seven step process for establishing “an effective, sustainable computer network defense program.”
Let’s start with the fact that cyber is a business issue, not just an IT one.
Yet, the report recommends only techies for this defense team, a team of three “highly-skilled Technical Leads and Cyber Analysts with experience in Threat Monitoring, Incident Response, Cyber Threat Intelligence, Malware Analysis, and Computer Forensics, DevOps, Analytics, and general cybersecurity and IT skills.”
Nowhere is there any mention of the need to involve business personnel.
Where Does the Risk Lie?
Consider this hypothetical situation:
Imagine we are in a conference room and hear a loud BANG from outside. We run to the window and see that a large safe has landed in the middle of the parking lot. Security guards rush to surround it. They string barbed wire around the safe, with bright lights and 24-hour monitors.
But then an executive appears and tells a guard to open the safe.
The executive looks around and spots a wicker basket against the fence, close to an exit from the lot.
He strolls over and sees the crown jewels wrapped in tissue paper in the basket.
The point? Protect what needs to be protected: Before you set up a cybersecurity program or any other form of control, establish what assets are at risk.
Yet the report fails to mention any form of risk assessment.
The risk cyber poses isn't to the technology or network — it is the effect on the achievement of a business objective.
Ignoring Cybersecurity 101
The guide has additional issues, including that its analysis assumes that all attacks can be detected — a big assumption to make which is not credible in my view. It leaves out any mention of risks introduced by mobile or cloud applications and services.
The report also omits any discussion of threats to the organization through attacks on the extended enterprise. Many organizations have outsourced services to a third party, which potentially may be at risk. Attacks on partners in the extended enterprise may give intruders access to your network and systems.
Finally, many intruders are attacking employees’ personal devices and systems — and could gain access that way.
Even the basic tactic of educating the organization to be security-conscious — including avoiding clicking on links or attachments that introduce malware or creating better passwords — is ignored.
Where Are the Cyber Experts?
I had higher expectations of The Cyber Threat Risk — Oversight Guidance for CEOs and Boards, with its foreword by Sameer Bhalotra, former White House Senior Director for Cybersecurity, but the same criticisms apply.
The paper includes no business risk assessment, no mention of mobile or the cloud, a security-conscious culture is absent and ignores the extended enterprise.
While its description of the problem we face, its emphasis on detection as well as prevention and discussion of mean-time-to-detect and mean-time-to- respond raises the content higher than the Lockeed Martin post, it still falls short in my opinion.
Most of the techies I know understand my concerns, but I have to ask when so-called "cyber experts" write and share papers like these.
I welcome your thoughts.
Title image Matthew Wiebe