“Do not click the links in your email!”, “Do not use free wifi!”, “Do not install any 3rd party software!”, “Do not upload data to the cloud!”, “Do not enable the remote access!”… how many times have you heard such warnings from your cybersecurity team? It feels like cybersecurity is just about saying NO to everything so that we can minimize our risks.
This is probably the main reason many business and technical people do not like cybersecurity guys very much. Their rigorous cybersecurity controls limit your choices and slow down your jobs.
So how can we, cybersecurity professionals, become a true business enabler while keeping our network, systems, and data secure at the same time?
I have to say it is really hard. Why? Because our current philosophy of cybersecurity controls is – “Trust Nothing!”
Regardless what security solutions you are using (e.g. Firewall, IDS/IPS, IAM, DLP) or what security approaches you are taking (e.g. Governance, Risk, Compliance, Training), the guiding principle in any security programs is “We trust nothing!”.
Not convinced? Let’s take a look at some common security practices in the following areas:
People are normally considered as the weakest link in the security. They will make errors, ignore orders, and forget rules. Not mention there are tons of bad guys or internal thefts. Because we can not trust people, the security industry has to come up with many principles, such as:
- Security Clearance – we need to conduct sufficient background check before hiring people.
- Least Privilege – we only give people minimum rights to do their jobs.
- Separation of Duties – we do not allow one person to control the whole business operation.
Any technical solutions carry potential security problems, such as bugs, backdoors, vulnerabilities. Because we can not trust a single technology, we have to follow some industry best practices, such as:
- Default Deny – block everything first, then only open minimum ports, services, or applications if needed (Whitelisting).
- Multi-factor Authentication – password alone is not enough to verify a user. We need to use other factors such as “What you have (e.g. Smart Phone, Token Card)” and “Who you are (e.g. Fingerprint, Facial Recognition)”.
- Minimum Attack Surface – the fewer systems, applications, or services we use, the fewer security holes we have. No wonder cybersecurity people often say “No” to new or unfamiliar technologies or tools.
Any business/technical/physical procedures could be abused or bypassed. To ensure the integrity, we have to put multiple security measures into the process, such as:
- Layers of Defense – borrowed from the military term, it means we deploy all kinds of security controls at various layers such as perimeter, network, host, application, data, etc. In case hackers penetrate some of them, we hope at least one or two controls can stop the intruders.
- Three Lines of Defense – coined by the risk governance, many large organizations call the functional team as the first line of defense, the risk and compliance team as the second line of defense, the external auditors as the third line of defense. Hopefully, all three lines will work together to provide the assurance of the business operation.
Now you can see how the philosophy of “Trust Noting” dominates our current security practices. It drives the design of our security controls for people, technology, and process. I would argue the conflict between business and security will last as long as this “Trust Nothing” philosophy continues to govern the cybersecurity industry.
But when can cybersecurity become a true business enabler? Would some disruptive technologies such as Blockchain or AI become the game changer?
I will share some thoughts in my future posts. Please stay tuned!