Page 82 - SyI Quarterly - Q3 and Q4 Edition 2023
P. 82

Cyber  Updates












           It is not about Technology Operations

           Most of the focus and effort in security goes into the operational side. Monitoring and detecting
           vulnerabilities in existing systems through scanning and penetration testing is a standard in
           almost all compliance frameworks. It is not that there should be no focus on these, but they are
           the easiest areas to measure and pour technology into – while simultaneously providing the
           smallest security improvements. Worse, many of the measures used are taken as targets with a
           lack of understanding of the issues that underlie them. Without that understanding targets may be
           met, but the fundamental issues that make attacks possible continue to go unfixed.

           It all goes back to a common statement – Cyber Security isn’t about the technology, it’s about
           people.

           It is about the People


           Ultimately every Cyber Security incident involves a human attacker and a human target.
           It may be that the attacker is trying to use deception to trick the target into taking a harmful action,
           which is by far and away the most common source of incidents.

           It may be that they are relying on a past mistake made by the target that has not been detected
           and corrected, with misconfigurations being the second most exploited attack vector.

           It could even be the attacker exploiting a mistake made years before, much further up the supply
           chain. We have recently seen the breaches at BBC, BA, Boots, and many others coming back to a
           vulnerability in file transfer software which was, in turn, used by their payroll provider.


           The problem that often comes in with the complex tools and expensive blinky boxes is that they
           are purchased by security teams. They are then looked after by security teams, and occasionally
           reports and discoveries of weaknesses get thrown over the fence for the rest of the business to fix.

           Meanwhile, the rest of the business has its own concerns and priorities, and so the security fixes
           go on the back burner until suddenly everything goes wrong and there is a news headline with
           your company’s name on it.

           How do we fix it?

           Improvements are happening, albeit slowly. Concepts like DevSecOps, while being touted as
           buzzwords, hit on key points about integrating security and security expertise into the design team.
           More people enter the GRC area of Cyber Security and rapidly discover that they can make more of
           a needed difference there than sitting on the tools themselves. Awareness is growing and the right
           conversations are happening more and more.

           We need to shift our focus. Instead of pouring the lion’s share of resources into monitoring,
           detection, and recovery once an incident happens, we need to build security into the other stages.
           On the design side development teams need embedded, integrated security skills and tools that
           they are then incentivised to apply instead of speed trumping all. We need to be designing and
           building systems that are resilient against Cyber Security incidents, where we prepare for failure
           and ensure it is contained instead of catastrophic.


           All these aspects are ones that have been encountered and dealt with by the wider security
           industry for years, so most of all we need to start learning from our cross-domain colleagues.


                                                          82
   77   78   79   80   81   82   83   84   85   86   87