Site navigation

SECURITY. FYI: Tackling your Cyber Risk Strategically

Ian McGowan

,

Cyber Cadets

In the February edition of our SECURITY.FYI column, Ian McGowan, the Managing Consultant at Barrier Networks considers the strategic value of cybersecurity and the lessons which can be learned from failure.

In any walk of life, it is important that we learn from our mistakes and try to identify where we fell short if we want to change the outcome on our next attempt.  In an area as diverse and complex as cybersecurity it is vital that we incorporate these lessons-learned into our business strategy.

Prominent figures within the business and technology community speak freely on the benefits of failure.  Mark Zuckerberg attributed his success with Facebook to him having the “freedom to fail” stating that if he didn’t have the freedom to fail he wouldn’t have been able to accept the risk of spending his time building Facebook.  There are many perspectives one can take when it comes to failure and I’ve even heard the term ‘fail hard and fail fast’ on occasion but failure certainly isn’t something we should strive for.

SECURITY.FYI, CyberSecurity, Risk, Strategy, ArchitectureLearning from Failure

Failure provides us with valuable feedback on how we shouldn’t achieve our objective so that we may adjust our approach and have a better chance of success on the next attempt.  Failure provides us with critical information on how to succeed but it comes at the cost of failure, so it is especially beneficial when we can learn from other peoples failures and apply those lessons to our own efforts.

Yet when we look at the media coverage of Cybersecurity breaches, it paints a sombre picture of the current situation and could lead us to believe that we’re not learning from others mistakes.  It would appear that many still aren’t implementing the control measures required to keep their business information systems and data safe from attack.  The threat is real and comes in many forms, from opportunist hacktivism to state-sponsored attackers, but the end result is that our systems are always at risk of being compromised.

For many organisations security hasn’t typically been a priority or board-level conversation until recent years, but as the risk and awareness of cyber attacks grow, we’ve seen a commendable upturn in senior management taking the lead and owning the problem.  However, when you consider the history of under investment and reliance on legacy systems, it is understandable why so many struggle with the task of securing their organisation.  Improving the overall security posture of an organisation is not an easy task and it can’t be solved with a reactive approach – often referred to as the whack-a-mole approach.

When you plan for success within a security improvement program it must be conducted in two streams that work in parallel.  We must act tactically to improve our immediate risk profile but we must also plan strategically to ensure that our efforts and investment align into a longer-term objective.

SECURITY.FYI, CyberSecurity, Risk, Strategy, ArchitectureFocus on the Business

A security strategy must be tailored to support the goals of the business it serves, so an in-depth understanding of the business and its operational process is paramount.  Unfortunately, I’ve been privy to more than a few security strategies that focus on technology and solutions when instead they should be focusing on the business to ensure that demonstrable value is derived from any investment in IT.

SECURITY.FYI, CyberSecurity, Risk, Strategy, ArchitectureA business focused approach to security strategy results in better identification and classification of risk and when these risks are captured more effectively, they can be triaged and remediated appropriately which results in less effort and better results.

Don’t Reinvent the Wheel

Thankfully there are frameworks available to help guide us through the process of creating a security strategy and one that I would advise investigating is the Sherwood Applied Business Security Architecture (SABSA).  The conceptual and contextual stages of SABSA can help you to develop your security strategy as part of your over-arching security architecture.SECURITY.FYI, CyberSecurity, Risk, Strategy, Architecture

It is only by approaching our security challenges strategically that we can address them effectively.  Tactical activity will always have its place but it should be occurring as part of your strategic planning and longer term business objectives.

If you want to succeed in business you must factor in cybersecurity strategically.  Your security strategy will underpin your development and act as a handrail for the years ahead.  Plan and strive for success but remember to embrace the lessons that can be learned from failures and utilise them to improve your approach.

If you’d like assistance with your security strategy feel free to get in touch via the Barrier Networks website or give us a call on 0141 356 0101.

Best of luck in your cyber security endeavours!

SECURITY.FYI, CyberSecurity, Risk, Strategy, Architecture

Ian McGowna, Barrier Networks, WAF, AppSec

Ian McGowan

Managing Consultant, Barrier Networks

Latest News

%d bloggers like this: