There are as many different approaches to an organization’s cyber security as there are organizations themselves. The business leadership may have some InfoSec expertise, they may understand the value of data, business processes, they may have a thoughtful, measured approach to protecting information assets… or, they may not.
They may understand the threats and risks that they face, and the impact of breaches, or they may not. Worse yet, they may believe that they have solid governance on the security of their information infrastructure, or they may not.
Ask yourself, “What is my (or my leadership’s) approach?” To get to the answer, you might want to consider the following:
- What percentage of executive leadership is confident and/or fluent in information technology?
- What percentage understand the true critical value of information assets?
- What would really happen if there was a breach?
- Are there more business-related issues that are more important to address now, than protecting information assets?
- Has the business ever complained that InfoSec is all cost, with no apparent benefit?
The answers to these questions can be very telling.
Let me describe two different approaches, recently taken by two different organizations in the same industry.
Let’s refer to these example organizations as Alpha and Bravo.
Alpha has a large organizational structure. They have company leaders for the various lines of business. There is a CIO, various IT teams and a whole lot of infrastructure, and a lot of politics with incredible organizational inertia. Most of the leadership is non-technical, however, and they believe that IT represents a huge cost. Despite this, they have invested huge sums of money over the years in the infrastructure.
Bravo is smaller. Each of the leaders covers a wider portfolio. They are closer to the day to day business. Yes, there are office politics, and they do invest considerable sums in IT infrastructure.
Both organizations are successful in their industry and well respected.
Not long ago, Alpha was hit with ransomware. It was bad. Immediately after the initial infection, the malware spread to most of the servers. The result was catastrophic. Most users were unable to log-in, conduct business, or even access email for up to a week. The business came to a screeching halt for a week.
Not long after, Bravo was also hit by similar ransomware. Hardly anyone noticed. The impact was limited to a single end-point device, which was restored in an afternoon. No business was lost. In fact, no-one in the IT department thought it was significant enough to notify senior management. They never even knew it happened.
So, what was the difference?
Alpha has a large, diverse infrastructure. They spent proportionally more than Bravo on expensive perimeter prevention, detection, and monitoring. However, when the malware did eventually get in, they had very little ability to limit its scope. This is due to the following: at Alpha, most user departments control infrastructure in their own areas, and many users routinely run with admin rights. As a result, wildly different controls exist in various parts of the business, and the entire operation is very disjointed with multiple vulnerable points of entry for ransomware.
Bravo also had decent perimeter controls. But, their approach focuses on limiting the scope of impact. Hardly any users have admin rights on their machines, and networks are heavily segmented. Access to information is controlled. The network runs on the assumption that any end-point may be compromised.
Bravo effectively dealt with the ransomware because it had tighter controls on its administrative privileges and network securities. Alpha, in turn, was spread thin with the design of its infrastructure – due to lack of leadership knowledge on the subject – thus, it took longer to eliminate the threat.
Bravo’s pragmatic view was simply this. Protect the perimeter to minimize incursions, but assume the incursions will occur, and work hard to limit their possible impact if (when) they do. What would happen if some malicious actor got behind your perimeter defenses?
This article was written by Dave Ehman, an expert in Cyber Security, Aerospace and It technology, and the CTO of Centry.