[Author note: 2019-20 has had one of the most horrific fire seasons on record in Australia, with significant loss of life, loss of property, and overall impact on the national psyche. While I believe the parallels and metaphors used in this article are valid, I equally don’t want to downplay for one second the importance of real firefighters and real fire management. If you chose to spend less on cyber security this year and give the difference to the RFS, I’d probably be OK with that right now. Anyway… back to business…]
In Australia, we are unfortunately used to the idea of a fair swathe of our sunburnt country catching fire each year. Minimizing the likelihood of a fire is extremely difficult. Minimizing the consequence of a fire is a more realistic goal, although as we’ve seen this year, still not an ‘easy’ goal to achieve when the weather is against you. One of the key techniques used in fire management is back burning, also known as 'controlled burning', which involves starting small fires in an intentional way, to reduce the amount of fuel that's available to the real uncontrolled events.
Cybersecurity has similar dynamics.
With Big Data driving organizations toward a “store first, ask questions later” data approach, it’s time that we look at the concept of back burning our data environments to reduce the fuel for the ‘fire’ that may happen sometime in the future.
As security leaders kick off the New Year with fresh perspectives and goals aimed at measurably reducing cyber risk within their respective organizations, it may be time to revisit data protection strategies. Below, I’ve highlighted five key areas to focus on to take an adaptive approach to cybersecurity as our lap around the sun once again begins.
1. Take Stock of What You Have
When working with our customers, we find there’s this tendency to overinvest in security technologies, particularly, whatever the shiniest solution is at the time. Organizations end up in a situation where they have a huge range of technologies but they’ve often never fully implemented them or operationalized them. When we go in from an audit perspective, we’ll often find that there are massive gaps in an organization’s maturity, and the gaps aren’t there because they’re lacking solutions, they’re there because they’re not using the solutions that they have to their full extent.
The fact that there is a possibility to get a lot more value out of your cybersecurity program without spending a lot more money is something that organizations really need to take advantage of.
2. Back Burn Your Environment
Back burning, or ‘hazard reduction burns’ as they’re sometimes now called, is a concept that is particularly relevant in Australia right now, but just as relevant across the globe seeing as many other countries aren’t immune to forest or brush fires. Australia is currently in early summer and bushfire season is well upon us and is causing a lot of very, very serious problems.
The back burning concept is when things are calm – and not a hot, dry windy day of which we’ve had way too many in the last few weeks – take the opportunity to do a controlled removal of leaves and sticks and dry material that could potentially be a threat when things are bad.
The parallel here is about ‘back burning’ your data environment. So much of the last five years has been about Big Data and aggregating all of the data you can, even if you don’t know what you’ll be using it for, you keep it for down the road. This has resulted in organizations keeping massive amounts of data that they don’t need. Many times the data doesn’t have an owner, is out of date, or stored in antiquated systems. All of this presents a significant exposure to data breaches. By back burning your environment, you’ll look at what you have in place and get rid of the data that is basically presenting an exposure without any real benefit to you. You can reduce the ‘hazard’ of data being breached, simply by no longer holding that data.
3. Re-focus on What’s Important
Security is a massive field. One of our key taglines is “Supporting the need for security collaboration.” None of us can solve the security problem on our own. I genuinely believe that no organization can actually spend as much as they would need to spend to fully secure their environment. Once an organization goes through the back burning exercise, the next logical question is, “Of what’s left, what is more important to secure?” If you have limited resources, make sure you’re applying those limited resources on the problems that matter the most.
4. Get Help
Once you’ve back burned the environment, gotten rid of the data you don’t need and have realigned your focus, this is where trying to get leverage comes in. Trying to get a multiplier on the security investment that you’ve already spent or will spend. If you accept the fact that we all have limited resources, if you can get a two to three times return on what you’re spending, then it makes a massive difference to a security program. That multiplier effect will come from things like managed security services. The sharing of the significant capital cost and finding a way to get a better return on that. Looking at how you start to use external expertise and collaboration platforms (yes, I am of course promoting Security Colony – www.securitycolony.com) and leverage is key.
5. Measure, Measure and Measure Again. And communicate.
Metrics are always going to be a challenge. The reality is that cybersecurity is a complex area. Even if you look at the points we’ve talked about so far, how would you define a metric that points to the risk that you’ve reduced through back burning an environment? You can talk about how much less data and exposure you have, but it doesn’t guarantee that you won’t have a breach. With all these things, the challenge is that the people who are asking for the metrics and the reporting, they want something that gives them comfort that they won’t have an incident occur.
Whereas from the perspective of a security leader, really the message is that we can’t deliver that assurance, but can demonstrate that we are making good decisions and have a mature program in place that effectively manages the risk. But the risk is not going to be zero. Having a metrics approach that is discussed and agreed upon as far as what it represents for the practitioners that put it together and the business leaders that will receive it is the best way forward. Having a discussion up front about your metrics and what they’re communicating as it relates to the business and the security program itself is key.