Splitting the risk profiles between operational and security is necessitated by the significantly different factors that build the risk profile. Operational risk still has the same metrics and input that are present in a non-cyber business for the most part, but security risk has a far different shape. As discussed before, this is the difference between passive risk calculation and the type of risk one calculates in an ongoing war. In all cases, the risk is calculated against experiential data, and that is crucial when it comes to cyber business. Analyzing security risk for cyber business means that characteristics or aspects of the security set up, techniques, processes, and personnel all need to be considered in the analysis.
While some of these trackable characteristics are commonplace and similar to other forms of organizational analysis, there are some that require more discussion to fully understand. One of these is security complexity. This term loosely relates to the number of differentiated pieces, or “moving parts,” that are present in a security practice, and that must work together smoothly to achieve an optimal protection.
Aspects of security complexity that have been tracked by SIL for decades include the topologies of protection and process within organizational security practices. Simply stated, this is the ongoing monitoring and evaluation of an organization’s ability to protect itself, as delivered in infrastructure and baseline forms, coupled with add-on layers that form the remainder of the strategy of asset protection and operational continuation assurance. In this perspective, what an organization has to start with and what it has available to build with are important distinctions to effectiveness, as well as the costs and vulnerability profile that results.
As the face of computing and business has changed over the years, so have the available options and strategies for deployment in the security arena. Advances in threat detection, threat containment, and damage remediation have been an increasing focus of a large segment of the digital community for many years.
Only in the last 4-5 years has this concern been percolating up to the executives that set organizational strategy. A large number of well-publicized incursions and the significant cost of the remediation has translated technical threats and risk into the financial profile that most executives expect as input to the decision-making process. That translation has raised the profile of security to the C-suite.
The number of incursions is skyrocketing, and the acknowledged damage to organizational operations and revenue is growing even faster. Comparing the monthly count and cost of these incursions with those reported 10 years ago against today from the worldwide Global Security Watch (GSW), organizations are experiencing roughly 1750 times the number of attacks and are coping with over 760 times the financial impact.
Despite rocketing staff needs for security personnel and exploding security budgets to pay for new types of protection, the warfare that is being conducted on the pathways of cyberspace shows no sign of resolving or going away. Adding more layers of protection does not appear to be the answer. The very presence of the layers increases the number of vulnerability points to the organizational armor. Anyplace that multiple applications need to interact presents a possible entry for an informed cyber criminal. Granted, the new layers have previously unknown entry points and therefore can be a significant delaying tactic when fighting in this type of war. However, eventually, each of those vulnerabilities is found and exploited.
Adding to the confusion, the complexity of all the security layers create a complex management challenge for personnel. Additional layers = complexity, complexity = chance of error, chance of error = increased breaches. As the complexity goes up, efficiency and productivity go down. There are more human errors and increased difficulty in integrating packages and applications later on. This is a design architecture that is ultimately doomed to fail.
There are brilliant minds that have been struggling with this problem. Their efforts have resulted in increased efficiency of the bolt-on security and innovations in management visualization. Service organizations have sprung up all over the world to assist in threat detection and patterning. Unfortunately, this is not altering the face of the cyber warfare that is being conducted against every business on the Internet.
In fact, the good guys, the businesses trying to maintain operational integrity, are losing ground.
Recently, at a symposium for security strategist and innovators, this very topic came up. There is no dispute on the tracking numbers because everyone there knew that the pattern was real and that the problem is not only immediate but becoming more critical. Most of the discussion circled around a rather plaintive question, “So what do we do?”
Obviously, doing more of the same is not working and will not work in the future. In fact, the more heavily an organization invests in layers of protection, the more difficult it will be to actually operate as a business on the Internet.
When situations like this have come up in the past within the digital world, the same pattern of escalation and stress has occurred. Smaller versions of this type of pent up problem analysis and breakthroughs have been seen and associated with similar fields in the storage arena and in the advent of multithreaded computing topology in recent years. In each case, what has been required to get to the next level has been a fundamental change. Not a change to the adaptive technologies that are applied in layers. Not a change to a specific tool. Instead, it required something that shook the foundation of the field.
What would be a fundamental change to the field of security? What would radically change the balance between the attackers and the attacked?
It would seem that the seeds of this type of change may have already been planted. In a test field in an incidental position, perhaps this change is being played out right now before our eyes and ears. Perhaps we just haven’t learned yet how to apply it and how to incorporate it.
Encryption. Today, at this moment, the encryption of data and transactions is occurring every second of every day, all around the world. Not so much in the data centers and information handling locations, but in some of the mobile devices.
In fact, a much larger percentage of the data handled by our cell phones and tablets is encrypted than is present in transit to or at rest in our data centers or laptops. The default level of encryption on that variety of places is surprisingly and substantially different. When a broad base of cell phones, tablets, data centers, and laptops was examined for encryption and security, the comparative results were surprising. The 6.8 million platforms compared showed that even with the presence of the unlocked and more vulnerable Android devices added in, data and transactions are up to 25 times more likely to be encrypted and protected on the cell phone sitting in your pocket than your business financials sitting in the cloud.
Similar findings showed that encryption of processes, transactions, metadata, and data storage are all likely to have a foundational protection on your mobile device. The word here that is important is “foundational” because it means that without any additional layers of protection, without any extraneous effort, that information is harder to subvert, steal, or damage.
The drive to support consumers, most of whom are not highly technical, at least when it comes to security, has created a different approach to cyberwarfare, mobile style. The creation of a foundational protection with the use of encryption is not a new idea. It is one that has been known for a long time to be very successful. Some portions of encryption within an operating system have been employed as part of mainframe architecture since the 70s. Even though the reason for that encryption was not driven by a need for protection, its genesis as part of the foundational control of an operating system serves two purposes: operational mechanisms and intrinsic protection.
Other architectures do not employ that type of mechanism in the normal business world. Since the concept of foundational encryption is neither unknown nor impossible, up to now, the detrimental factors have been the expensive and the adverse impacts on performance and speed.
At a point in time when performance degradation from security layers is approaching 38% in many organizations, and where the cost of security has increased by two orders of magnitude in the last seven years, perhaps it’s time to reevaluate the approach to security. To look at fundamental changes, foundational changes, that will change the battlefield.
Change the game. A shift from a barely encrypted, multilayered environment to one which has a foundational encryption mechanism is a branch point for the security path that the industry’s feet have been on for many years.
If the creative investment from the innovators in the security field and the experts in operational encryption can be directed toward creating an all-encompassing encryption, a more pervasive one, the simplification of security processes and vulnerabilities would provide relief to organizations desperate for assistance. It would fundamentally change the risk of doing business in cyberspace.
Risk and benefit. These are things that are examined every day by every business to evaluate which way to go, what decision to make. If the paradigm shift is being considered, the cost and the risk need to both be addressed.
Given foundational and pervasive encryption, how would the risk profile change? Where would the cost come from and how large would it be? This becomes the bottom line business justification.
This post will continue with CyberBusiness – Impacts of Encryption next week.