Adaptive Segmentationmicro-segmentation April 10, 2019

Tackling Cyber Risk Down Under

Vijay Chauhan,

I recently visited Melbourne for the first time for a roundtable hosted by CSO Magazine. I took the obligatory Yarra River cruise, wandered through the laneways, and sampled the famous coffee culture. Having grown up as a UK school kid whose evening routine involved watching the soap opera Neighbours (set in a suburb of Melbourne), it felt like a pilgrimage of sorts.

And the purpose of this trip? Getting to intellectually feast with fellow senior cybersecurity professionals responsible for protecting their respective industries: law firms, energy, telcos, consulting, higher education, and financial services.

Here are the key messages I walked away with:

1. Trust is the highest value asset we have. Folks around the room were unanimous in their opinion that identifying your "crown jewels" is the start of a robust risk management program. This means coming up with a list of your highest value assets, prioritizing them, and then protecting them in order of priority. These assets are the things that you just cannot afford to lose – they directly impact your ability to conduct business.

A good touchstone for "crown jewels" is the level of trust that would be lost if that asset was lost.

But then the conversation took a very philosophical trajectory. When all is said and done, the highest value asset in a lot of industries is trust itself. Lose that and you have no business. So we established that a good touchstone for “crown jewels” is the level of trust that would be lost if that asset was lost. 

Think of a higher education institution like a university. Exam results, transcripts, and certificates are their "crown jewels." Out of the CIA triad, 'confidentiality' is not the one we’re most concerned with here. In fact, it is “integrity" – if there was a data manipulation attack against a university and their clients (student, alumni, parents, and prospective employers of students), you can see why a loss of trust in the grades, results, and certificates issued by the institution would be problematic.

2. Security by inspiration. Inspire people to do things in a secure way. Mandates, policies, and punitive measures seem to be the way we try to encourage more secure behavior from individuals and from entire organizations. Fines for companies not disclosing breaches, fines for violations of privacy (think GDPR), minimum password length and complexity, and mandatory training videos for employees (with minimum time windows before you can click through) all represent “stick” and not enough “carrot.” Compound that with many security vendors resorting to FUD as their primary selling technique. The security leaders in the room were united in their desire to find a better way. Some have been actively looking at ways to incentivize and inspire good security hygiene such as through awards and security ambassador programs.

3. Security by simplicity. Keep security as simple as possible – but no simpler. This came up in the conversation about Zero Trust security. One of the tenets of Zero Trust is that by default you give no access, and where access is required, you give the minimum access possible (also known as the ‘least privilege’ approach). Because privileges are actually not a privilege – they are a liability. On the flip side, don’t oversimplify security. The idea of a ‘perimeter’ makes for a simpler mental model based on traditional "inside" vs. "outside" mentality: we can associate "inside" with good and "outside" with bad. However, this model is a simplification that is not only outdated, but is giving folks a false sense of security. The inside vs. outside concept no longer reflects enterprises today. Luckily more and more cybersecurity professionals are coming to the realization that bad could already be inside their environments – or will find a way in – and, therefore, the techniques of Zero Trust and default-deny should be applied on the inside too. What's more, Forrester recently reported that Zero Trust can mitigate an organization's risk by at least 37 percent. 

Fueled by inspired security professionals in a country with a pretty strong commitment to cybersecurity, these takeaways are universal in nature – regardless of industry or hemisphere, they're key considerations for all organizations. 

For resources related to takeaways: 

Adaptive Segmentationmicro-segmentation
Share this post: