Brilliant OECD study
Great piece of coherent common sense on cyber security and risk from of the OECD of all people. Certainly a recommended read, conclusions include;
- The use of language is exaggerated and misused statistics lead to grossly misleading conclusions.
- The probability of an actual cyber war is “unlikely”.
- Cloud computing creates security problems.
- The effects of cyber attacks are difficult to predict.
- Cyber espionage is one method of spying, it is not a “few keystrokes away from cyber war”.
- The software industry releases too many that have not been properly tested.
Their recommendations make sense too;
- Extend good old fashioned police and forensic resources.
- Funding response through the CERT community is the most likely means by which a large-scale event will be averted or mitigated.
- Beat up the software industry with government buying power to get less buggy products.
When you step past the hyperbole and the plain ridiculous you step into the real world of security. Once you realize the ability to respond is the most critical component you can start thinking about the mechanic of how that response can be achieved. Logically you end up with a need for high quality visibility, after all, if you can’t see it how will you fix it? Maybe it’s too obvious, but it seems to me the most under rated products in our industry are visibility tools.
This principle is true at every level of disaster and risk management. It’s true for nation states, it’s true for small networks. To predict every possible disaster might be theoretically possible, but the budget to mitigate every permutation doesn’t exist. Moreover, whatever the specific problem, a well trained team with the correct tools gets to the bottom of things fastest. Anything that creates barriers to that process lessens real world security and increases the cost of risk to an organisation and every dollar that’s not accurately spent towards that mechanic is lost to that team. This is why it’s important for organisations to step past the hyperbole.
One of the trends we expect in the next 36 months is the outsourcing of complexity. The best success will come where organisations retain both full use of the tool to get the visibility needed and a level of skill in using that tool. One of my go-to rules of thumb is complexity always reduces reliability; in other words simple is best. As complexity increases, as it must, the importance of visibility increases in an exponential fashion. This is because as you add more links to the chain, more chains to the whole and links in-between to mesh it together the possible places a link can break increases exponentially.
Whether you choose to outsource wholly to the cloud, outsource to managed services or run it in-house and whether it’s an attack or just a minor disaster the quality of response is closely governed by two factors. The quality of the response team and the quality of tools they have. The number one tool being visibility as they hunt through the multitude of chain links.
At the moment there are two security worlds. In the fantasy one we’re made ‘safe’ by taking our shoes off at airports, placing men in high visibility vests on the Sydney harbour bridge and blowing our budgets on biometric scanners and closed circuit cameras. In the real one we’re left to manage response to real outages and threats without much budget left over and low visibility.
There’s many a CIO who should read this report.
Comments
Post new comment