Cybersecurity: what is the best solution?
An organisation’s cybersecurity strategy acts as the ‘glue’, or perhaps the ‘why’ for an entire programme; but a question I’ve heard being asked by senior management when trying to implement their cybersecurity strategy is ‘what is the best solution?’. Of course, once a strategy has been agreed upon, and high-level policies written, the next step is to implement the right set of controls to allow the organisation to achieve their security goals, as expressed in their security strategy. Clearly, making the right choices at this step will directly impact how well the organisation’s cyber strategy is purposed as well as the operational effectiveness of those controls.
So, for an organisation, what will be the best solution? Unfortunately, the answer to this, as so often, is “it depends”. This is not a ‘consultant’ answer but, genuinely, due to the care that is required in the solution selection process, with the technology to be deployed being only part of the consideration. Even with best practice guidance from the vendor at implementation, operational effectiveness of solutions can vary significantly. One key reason for this is the how effectively the solution is managed by the organisation, which must include its integration into existing processes.
Business and security architects rarely have the privilege of working on true ‘greenfield’ sites, those (often imaginary) locations which do not already have existing infrastructure, systems and operations management capability. For most engagements, the current operational environment has to be factored-in. By the time a security architect makes first contact, an organisation may have undergone multiple rounds of mergers and acquisitions, spin-offs and reorganisations. Stakeholders involved in the original system setup and implementations could have left the organisation, taking with them expertise and rationale. Furthermore, in many organisations, operations may have been outsourced to one or more third parties. Even with the most conscientious service transition management teams, not all I’s will be dotted and T’s crossed. I have had the dubious honour of working on engagements where the discovery phase has unearthed more than just a few surprises!
Once there is clarity on the existing infrastructure and operations capability of the team – the latter of which is often overlooked – work can then start on identifying the “best” solution for the organisation. If a part of an organisation has already implemented a solution which supports the security strategy, and the solution is proven to be effective, it will be far less disruptive to the business to expand and augment that solution across the wider organisation if feasible. This would certainly be far more efficient than identifying, sourcing and conducting new deployment and operations capability. Whenever a new solution is deployed, there will be a steep learning curve, typically accompanied by significant lessons-learned. Don’t forget the value of a strong project management capability to support technology or large-scale process deployment!
I am very much pro-innovation, and will take every opportunity to explore novel solutions, however, within an operations environment, experience has shown that a pragmatic approach is often the best option. Indeed, one of the underlying strategies of many mergers and acquisitions is to acquire new capability quickly. However, when there is evidence that the existing technology or system can no longer adequately address the organisation’s security requirements, then new solutions should absolutely be explored.
To answer the original question, the following steps need to be explored, the findings for which will form the foundation on defining the best solution for an organisation:
1. Review the existing operations environment and operations capabilities.
2. Conduct a review of corporate assets.
3. Classify assets and quantify their value; it is not possible to protect absolutely everything, so categorising assets which should be protected will provide focus.
4. Deploy a layered approach for protection; resources should not be deployed at a single layer/location, and the most valuable assets should be protected by more layers than less valuable assets.
5. Articulate solutions with options, best done in non-technical terms, to senior management and decision makers in senior management.
6. Obtain buy-in from affected stakeholders; even technical solutions have human elements. When teams do not feel engaged or consulted, the time and effort for implementation is significantly higher.
7. And, perhaps most importantly: understand whether the locations under consideration for new solutions are under the organisation’s management or under third-party management; this will significantly affect the implementation approach.
Dr Wendy Ng, CISSP, CCNP; 6th July 2018