To paraphrase Frederick the Great, who died in 1786, 'He who defends everything, defends nothing'.
Let’s discuss a single word: Compromise.
When we think of the word compromise, what do many of us think about? Perhaps, if we are pessimistic, we think about what we have given up or what we have lost? Perhaps we have lost an argument, or a fight. Maybe those of us in cybersecurity think about a data breach? However, if we are optimistic, maybe we think about a successful resolution – perhaps one in which most of the people, most of the time, achieve something positive?
For far too long in the cybersecurity industry, the broad topic of security has been binary, at least from a non-technical Board level executive point of view. The Board ask “Are we secure?” and they then expect a 'yes' or 'no' answer – well, generally a 'yes'. The standard expectation and narrative placed on cybersecurity teams has traditionally been: Protect everything and make it impregnable!
This has led to a number of (now proven to be) misguided assumptions and approaches. Let’s briefly discuss four of these.
The first is that perimeter security has traditionally been the focus.
Outside the perimeter is bad, unsafe. Inside is secure, safe. Numerous reported large cyber incidents have shown that no perimeter is ever secure enough, and that lateral movement once inside was easy; The pandemic and associated increase in remote / hybrid-working along with ever more cloud adoption have also radically challenged that perimeter security-based approach.
Secondly, cybersecurity spend has predominately been on technology solutions
– the acquisition of all the latest and greatest 'magic boxes' (SIEM, EDR, MDR, XDR, SASE, BAS, IDS, IPS, SEG, DAM, UTM, VPN, NGFW, WAF... the acronym list is endless). More mature organisations are only now realising the poor Return-On-Security-Investment (ROSI) of many of these solutions, both financially and regarding security efficacy.
Thirdly, there has been an ever-increasing focus on higher levels of security compliance.
Determining the presence of controls, rather than the efficacy of those controls is often the focus of assurance activities – can we really provide improved security via more and more checkboxes?
And lastly, cybersecurity professionals have used FUD (fear, uncertainty and doubt) to drive internal spend and change
, largely from an IT point of view – the IT ‘tail’ trying to wag the Business ‘dog’. There remains a deficit of mature risk-based Board level dialogue on cyber risk, with this occurring because cybersecurity professionals tend to be very technical by nature, and the industry lacks a genuinely pragmatic way to articulate ROSI.
However, maybe there is another way? Perhaps instead of trying to attain a near impregnable level of security, instead we need to accept that life is very rarely absolutist. We cannot protect everything. In fact, we need to embrace the concept of compromise!
So, what does accepting a 'state of compromise' look like in cybersecurity? It should mean that we recognise we cannot protect everything, all of the time, and instead we need to be resilient (the ability to return to a normal state) by focusing on detection and response. We call this adopting the mindset of Digital Resilience.
What are the key aspects of Digital Resilience?
Firstly, as already stated, rather than simply PROTECT, the focus moves to DETECT and most importantly, RESPOND. Backing up is arguably the most pointless task in IT, yet restoring from a backup is arguably the most valuable.
Secondly, it is about replacing the perimeter with identity. The ability to leverage identity to enable access – aspects of the zero-trust model, if you will.
Thirdly, adopting the mindset of Digital Resilience should allow cybersecurity teams to move from being the Department-of-No to a genuine enabler of the business.
Fourthly, the organisation can move from a focus on security compliance to security maturity, with emphasis on the efficacy (not just presence) of security controls.
And finally, ownership of cybersecurity risk can sit with the Board, as with every other operational risk faced by an organisation.
If we assume a state of compromise with a focus on detection and response, the mindset and culture of the organisation can evolve to such a point that cybersecurity becomes a genuine business enabler focused on security maturity with meaningful risk-based communications between security leadership and the Board, with the Board owning the cyber risk.
These are the objectives of Digital Resilience which we would argue is a more mature, pragmatic, and effective mindset for organisations to adopt.
Frederick the Great also said 'It is pardonable to be defeated, but never to be surprised.' Perhaps if we were all to assume a state of compromise, maybe we in cybersecurity wouldn't always be quite so… surprised.