fairy tale, wonder tale involving marvellous elements and occurrences, though not necessarily about fairies. The term embraces such popular folktales (Märchen, q.v.) as […]
britannica[.]com
FAIRY TAILS FROM REALITY
There are no silver bullet solutions out there that will “fix” your organization and make it 100% secure. That defensive or offensive security solution that fixes everything doesn’t exist. Unicorn security solutions don’t exist, not yet, at least. InBeforeQuatumSeurityUnicornSolutionsEnterTheMarket.
They --> those "100% secure things" <-- exist in the fairy tales, and the closest one of those fairy tales we often get to witness is in that —> PowerPoint Security presentation. In PowerPoint-land, everything works and everything is 100% secure. But here comes the catch. Security doesn’t exist in PowerPoint-land; it exists in reality, and it is there that it must work. It almost feels lame to write this –> “100% secure doesn’t exist” –> but this is something people (security and non-security) here and there still think exists.
A security strategy is only as good as it is capable of delivering value through its execution. Yes, this is how it is. If the things written on that fancy-looking paper or presentation can’t be translated into execution, there is less “value” derived from it.
Whenever someone comes in and makes bold (salesman) promises and claps the roof of that new shining offensive/defensive/compliance, risk/<insert> security solution and says —> “100% secure!”. It’s now the time for those critical thinking brain cells to fire really fast. This thing doesn’t exist, simple as that. If someone out there tells you otherwise…think again. And yes, I’ve seen customer agreements and commercial contracts where companies have stipulated things like this –> “100% <secure/availability/protection/…>”.
The condition “100% secure” only exists in PowerPoint-land.
A security strategy is not something magical either. It is not something that replaces things or comes in and makes bad shit go away. But, if it’s developed based on the needs of your organization and maintained in a continuum, I am a strong believer that this is one of the most potent security capabilities an organization should make investments in. I think the development of security strategies is many times butchered, though. They become something developed by, only applicable and understood by, the cybersecurity team. Far away from optimal. Far away from how it should be done. But this is very close to reality.
And I’m fine with it, you reading this doesn’t agree with me. I’m not here to start a debate or claim to be the one and only person out there who knows how to make organizations protected and resilient. I’m here to share what I’ve found to be sustainable and effective ways to increase protection and resilience.
I don’t believe in going out in the dark and swinging, i.e. not having a plan. That is, though, for sure one way to do it, and how many organizations choose to do it. It’s not up to me to change how each and every organization out there approaches the subject of security strategy. This is up to you as a security leader in your organization. You are there to support your organization to become successful. You are there to ensure current and future security readiness. The world is not on pause and will be waiting for you and your organization to catch up. The bad guys don’t put your organization on the prospect list because you don’t have your things in place.
Start doing something, small investments in that strategy thing may have a potentially very high upside when it comes to your organization’s security posture and resilience.
MYTH-BUSTER: PART 5
A security strategy will ensure our organization will never be breached!
No, these guarantees don’t exist. But having a security strategy developed based on your organization’s needs and requirements should reduce potential negative business risk and the impact…that might come as a result of a breach, e.g. adversaries attacking and successfully infiltrating your organization.
A security strategy will ensure our organization is compliant with industry standards and regulations.
Yes, if the security strategy is developed and operated based on the requirements found in those standards and regulations. Keep in mind that compliance and regulatory requirements change over time. I think there are better ways out there to ensure requirements fulfillment from a regulatory compliance, standard, or framework viewpoint. *Hint* You will find it hard to keep your strategy aligned with external changes.
A security strategy must be developed on the principles of “threat-informed defense”!
No, there are no such rules out there. It will, though most likely, benefit your security strategy to contemplate and make some threat-informed decisions based on actionable insight.
A security strategy must consist of investments in offensive security capabilities!
No. But if an organization, for example, is obliged to conduct yearly security testing of its critical infrastructure due to regulatory requirements, it makes perfect sense to ensure there is a long-term plan and sanctioned monetary resources put aside to mature and develop the capability in a continuum.
We managed to detect and respond to the latest red team engagement our third-party conducted towards our organization. We don’t need a security strategy; we are protected.
100% protection doesn’t exist. If you and your organization managed to detect and respond to the latest and most advanced red team engagement, it validated that you were able to detect and respond to that specific threat and APT (Advanced Persistent Threat) simulation or whatever. A red team engagement is just a snapshot in time. Attacks change over time. New forms of threats are developed. Successfully detecting and responding in a red team engagement doesn’t eliminate the need for a security strategy; it tests the blue team’s capabilities and some of your organization’s security measures.
The threats towards our organization come from the outside; this is what we will base our security strategy on!
Threats come from inside and outside; they may be intentional or unintentional. A security strategy should reflect each of these perspectives and do so in relation to an organization’s threat profile.
We have implemented the latest security technologies with advanced AI capabilities; we don’t need a security strategy.
No. Security technologies with AI capabilities don’t eliminate the need for a long-term security strategy. The same goes for the implementation of foundational security measures. The future isn’t on pause just because your organization isn’t prepared for it or plans for it.
We have implemented MFA (multi-factor authentication), we can’t be breached, and we don’t need a long-term security strategy!
Fail. The implementation of a security control is not equivalent to a security strategy; it might though, be an outcome of one or several initiatives within the security strategy. And this statement is not true either. MFA doesn’t eliminate the need for a long-term security strategy. MFA is a strong foundational security capability that should be a part of each organization’s operational security measures. A good long-term security improvement, related to identity & access management, would be to move away from passwords completely and, whenever possible —> go passwordless. Most organizations need a long-term plan to be able to reach this point, to go passwordless.
We have EDR implemented, we can’t be breached! We will detect if an adversary gets inside our organization.
Not true + see above answer. And a bit about Evasion of and bypassing modern EDR = this is fairly simple these days. There are plenty of ways, research, and proof of concepts made by security researchers explaining and showcasing how this is done. 100% protection doesn’t exist.
We don’t need a security strategy, we only need to invest more money in security testing, penetration testing, red teaming etc., to ensure we are protected and resilient!
No. This will not guarantee how well you and your organization are prepared for the future in the long term. Operational risks and security measures are key to being Gucci, but throwing all your dollarz on offensive security is not something that eliminates the need for a security strategy.
EPILOGUE
What should our security strategy consist of? Your organization should spend and do the necessary investments in those security initiatives that you, as a security leader and strategist, together with your stakeholders determined to be needed based on your organization’s requirements. Read this sentence once again and contemplate.
Ask yourself what your organization needs. Don’t guess blindly or let someone else out there tell you, “This is how your security capabilities need to look!”. I am though, a believer in that almost every organization should benefit from some form of foundational security capabilities. What they mean or in what form they come in the end is up to you, together with your stakeholders, to find out. Example, how shall IAM, vulnerability & patch management, least privilege principles, yada yada be implemented.
An organization building and developing software will most likely have a bit of different requirements and needs compared to an organization that is operating in a completely air-gapped environment and selling ice cream. You get the point here. You, as a security leader and strategist, are responsible for finding out and forming your security strategy based on your organization’s needs. This is not a textbook copy-paste exercise. It is up to you to do the work together with your stakeholders to find out and understand what you need. Start now and do it together. Teamwork.
Henrik Parkkinen
Henrik Parkkinen 