CYBERSECURITY
Is there ever enough security?
Phillip Kittelson | 01 Feb 23 |
3 min read
|
Is there a such thing as an “acceptable level of security?” Ask anyone in field of cybersecurity, and you might get an even split for a yes or no answers. The classic cybersecurity engineering person might say “No! There is never enough security!” While a more strategic person would say “yes!”
In this book Cyber Crisis, and even on his YouTube channel, Dr. Eric Cole, a cybersecurity strategic thinker, and subject matter expect in both the strategic and technical areas of cybersecurity, talks about his early days in the field at the CIA. His bosses wanted him to attend meetings, listen in, and in the end just tell everyone their solution was not secure enough. His bosses had the mindset that there could never be an acceptable level of security.
Every decision you make, in business and in your personal life embodies risk. Every decision, from driving to work, to deciding what to eat for lunch. While these decisions may seem trivial to you, you probably don’t expend a lot of time and effort on these decisions. The choice to do nothing (not go to work, or not eat) will impact you at some level. The consequences of inaction (especially at the CIA) could be catastrophic.
While security is important, there absolutely is an acceptable level of security when it comes to securing computers and networks. Some data is valued more than others, which is why Amazon doesn’t lock its ecommerce server system away in an air-gapped vault, they would completely lose out on the benefit of hosting those servers in a manner which would allow customers to buy products!
When it comes to classified data, there is of course an acceptable level of security as well. Which is why the security requirements for data labeled as “confidential” are not the same for data marked as “top secret.” The consequences of a breach between these two classifications, while still bad overall, are completely different. Law makers, policy makers, and original classification authorities (OCA) understand this as well. There is a cost to implement security for higher classifications, and the expense to protect a lower classification like the higher levels is not warranted.
So, what does it mean to have an acceptable level of security in the cyber world? The answer is yes, there is!
- Security Baselinesare developed, and implemented, to protect the confidentiality, integrity, and availability of the data and processes on our systems. These baselines outline which security controls are chosen based on these three criteria. A system which implements more stringent security controls will run at a higher cost. If controls were implemented to boost the integrity of a system, that translates into more backup servers, increased storage capacity, an increased level of personnel to maintain and run those servers. If a system were implemented with more stringent controls to protect is confidentiality, this reduces the availability of that data, or that system, to people who would need to use it. Would the increased cost of implementing more controls outweigh the benefit?
- Risk Acceptance is needed in every organization. At some point, someone will accept the risk to a computer system. That person will have the authority, and hopefully the strategic thinking, required to be able to know the risk associated with operating a system, the benefit of operating it, and if the benefits outweighs the risk taken.
- Strategic thinking or having the ability to reframe a situation. If your CEO informed you the company was absorbing another company. This company is known for its excellent products and huge revenue; however, they are also known in the industry for having bad security. What would you say? Half of the people in cybersecurity would warn the CEO about doing it, and derail the merger process. Those with strategic thinking skills would calculate the cost of fixing the issues and inform the CEO so they could make a reduction in asking price, fix the security issues, and taken on a huge benefit to the organization.