Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

All Information Security Is Cyber Security. All Information Security Must Change.

Cyber security is a nation-first, vendor-second issue. Recent events have frighteningly underscored the requirement to fundamentally rethink our approach to information security lest our economy, our very way of life suffer drastically.

Cyber security is a nation-first, vendor-second issue. Recent events have frighteningly underscored the requirement to fundamentally rethink our approach to information security lest our economy, our very way of life suffer drastically.

Cyber incidents are a form of terrorism: They can strike an open, digital society in ways not yet imagined when the security systems built to protect us were designed. To maintain an open society, we must first recognize that all information security is now cyber security, and, secondly, much is going to have to change.

The Office of Personal Management (OPM) breach was the digital equivalent of a major terrorist strike. While 2014 was the year of the hack — and pervaded much of the tech industry and business news cycle — the scale and scope of the OPM breach brought home for a large number of Americans that cyber defense could shortly become the fifth branch of our military.

Just as we re-examined and retooled the security of our transport systems post 9/11, we must take a parallel approach to data security. We must start with a blank page and build a cyber security posture that parallels the dynamic requirements of today’s environment, rather than focusing on protecting the technology of a generation ago. It is sadly ironic that the intrusion detection system that monitors the network traffic of government departments is called EINSTEIN. While the government program has not changed very much in a decade, the real Einstein gave his definition of insanity as “doing the same thing over and over, but expecting a different result.”

Information Security ChallengesGoing forward, we must focus on these six principles of the current cyber threat environment:

1. All security is cyber security. CISOs now must evaluate the IT “risk pyramid” and potential kill chains to understand their cyber attack surface. The entire IT landscape is now under attack. It requires a new trust and security model that builds consideration of the new threat environment into the design and use of IT.

2. Threats come mostly from the inside out, not the outside in. Eighty percent of cyber security breaches are aided and abetted by insiders or weaknesses in internal systems, yet the majority of an enterprise’s security spend is focused on protecting the perimeter. Relying solely on the perimeter infrastructure layer is an invitation to continued failure. This asymmetry of spending and focus on the perimeter of the data center vs. the interior must change.

3. The speed at which security systems adapt is as important as how well they detect and prevent. Cyber security must focus as much on agility and adaptation as on detection and prevention. Not every attack can be prevented, but adaptive systems can more rapidly address breaches before critical data is exfilitrated. The faster an adaptive system detects and deals with a breach or piece of malware, the less damage that will occur

4. Everything is untrusted. In today’s environment, the assumption should be no-to-yes vs. yes-to-no in developing trusted connections among users and systems. This is true in inter-server connections or using two-factor authentication in accessing SaaS applications. While this may cost some convenience — and perhaps some time — in business operations, the price of not doing this is too high.

Advertisement. Scroll to continue reading.

5. Security must be built into the fabric of computing. Today we have an application development process where someone creates an application, another party on-boards it to the infrastructure, and a third party determines how to secure it. This series of handoffs increases risk and creates bureaucracy in dealing with any changes or updates to applications. Security must be conceived and applied “upstream,” not as an afterthought.

6. The public/private partnership must be rebuilt. In the post–NSA revelation era, the level of trust between Washington and business is inversely proportional to the need we have to cooperate and collaborate. Because of the thin line between national security and economic cyber issues, it is time for a renewed partnership between the private and public sectors.

These six areas of how security must change in the cyber terrorism era are just the starting point. There is absolutely no doubt: All information security must change.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem