The struggle to cope with the rapidly evolving nature of cyber risk is undermining the efficacy of converged security planning, writes Dan Solomon. He goes over findings from a new paper examining the effectiveness of security planning in the UK private sector.
Companies need to plan for the wide variety of potential security threats and the majority of firms struggle with resources, intelligence, or expertise to deal with a full range of scenarios, and consequently cannot consider the full spectrum of converged security risks and their cyber dimensions. In most cases, companies lack the awareness of the complete threat landscape and their vulnerabilities. Hence there is a lack of urgency to upgrading their security risk agenda. The absence of such drivers tends to limit the budgets for security investment in intelligence and capabilities, and so the cycle continues to undermine the efficacy of security strategies. <br><br>Developing strategy<br><br>Developing strategy should be a composite process that generates an overarching statement of objectives, intentions and policy, and outlines methodologies for reducing security risk in the business in response to the anticipated threats identified in a risk assessment. This is raising significant challenges in developing a cyber security strategy, or the cyber elements within a well constructed risk-informed strategy.<br><br>One of the weaknesses in security planning is the demarcation of the strategy from the plan, and between security and contingency planning which are very inconsistent among sectors and firms of different type and size. This is likely to remain the case, particularly when considering converged or cyber threats. To some organisations, having ‘a plan’ is tantamount to a plan of works to provide security, which may or may not be derived from a security strategy. To others it is a system for enacting instructions in the event of both an event and a contingency. <br><br>Comprehensive plans should extend to include steps to identify and deter threats to people, processes or assets, which will be qualified in terms of the likelihood, vulnerability, and impact analysis. They may also contain metrics to measure delivery and effectiveness of the plan, but to understand the weaknesses and challenges inherent to both security and contingency planning, firms must define how their delivery and effectiveness should be judged, which is the subject of some debate.<br><br>Few converged security strategies are fulfilling these criteria comprehensively. Security plans that should be threat assessment-led rarely provide a detailed blueprint for the provision of converged security requirements that emphasise both physical and IT elements. Furthermore, security plans must be constantly evolving in order to remain effective and relevant, and it is this point that is challenging companies’ ability to proactively evolve, which is critical within the converged and cyber domains. <br><br>Threat assessment<br><br>As intelligence and dedicated resources are usually insufficient to maintain a comprehensive threat assessment and awareness in the majority of firms, greater focus is developing on internal vulnerabilities. To a degree this should be viewed a positive step away from the traditional ‘perimeter’ doctrines, as converged threats expose the flaws in this approach. A shift towards creating layered security ‘from within’ offers greater depth to an organisation’s position, and around factors that a firm can control. Taking a more internal view of vulnerabilities should focus security managers on organisational and human factors that drive policy and procedure, as much as the systems they manage. This provides a less dynamic (but no less complex) landscape when considered in isolation from the characteristics and objectives of external threats and it allows security managers to build and reinforce different aspects of internal security, increase the adoption rates of recommended security measures, and provides the parameters for a broad range of tests & exercises that can be run against different scenarios.<br><br>Testing effectiveness<br><br>Most firms are well accustomed to conducting specific safety drills annually, but this has yet to become the norm for broad a range of security scenarios. While companies are increasingly testing activation procedures of backup facilities and related desktop exercises, these are related more to business continuity measures rather than security controls. Security exercises are important to maintain the organisational reassurance that beyond audit requirements, the strategy and planning will deliver required levels of security for the organisation. This point alludes to one of the most common of failings in security plans, which are often static or out-of-date, and lack application through exercises to ensure awareness, preparedness, and sufficient familiarity with the plans’ aspects to allow for their interpretation. <br><br>These issues override the other issues of a plan’s validity or the deficiencies in security strategy, as the true extent of these latter’s weaknesses remains unknown to the organisation until it is faced with a security incident. Hence one of the most critical failings in security management is to sustain and demonstrate the relevance of plans through appropriate security tests and exercises. To a degree in larger companies this is partly mitigated at an organisational level by maintaining separate teams and responsibilities for security planning, and business continuity or contingency planning, and it could be seen that effective business continuity plans compensate for weaknesses in security planning. Conversely in smaller firms where these functions are typically integrated into one function, both security and contingency planning can be undermined by the same common denominators. In some cases, the weakness of security management is rarely identified as the ‘problem’ undermining the planning process rather than focusing on the plans themselves. Therefore, one of the key steps of the planning process must be to ensure that plans are tested and work effectively.<br>The issue of testing security and running exercises is problematic, partly because of the complexity and cost of running converged security exercises in particular, that incorporate the testing of IT and system vulnerability. Large companies and better prepared companies are more likely to conduct exercises regularly, however because of the scale and complexity of these large companies, and the range of threats they face, they cannot run sufficient tests and exercises to be ready for most eventualities. Moreover as IT dependency grows, from an already complex and widespread base, it is increasingly rare that comprehensive security exercises are conducted which simulate real converged threats and test the security and responses. In the cyber domain, budgets fail to cater for the costs and the specialist skills required from a ‘red team’, especially to simulate an advanced form of threat.<br><br>Senior management are rarely involved in security exercises, and this reflects a degree of complacency among executive management that they will be able to make effective and timely decisions in the event of a significant crisis that warrants their real-time involvement. Moreover it also indicates that executive management simply do not expect catastrophic crises, and are consistently reluctant to allocate budget to simulating one. The scope of exercises tend to reflect how seriously the threats are considered and prioritised, but often for the sake of simplicity, an exercise can be focused on a specific critical process but fail to test the vulnerability causes by interdependencies between processes. The failure to fully exercise against a more complete scenario means that the company is not fully aware of the vulnerability, or the potential challenges it will face as impacts cascade and interdependencies are revealed throughout the response. Exercises more often focus on specific elements of the company’s ability to respond to threats or enact their contingency plans, while neglecting to test security which is more vulnerability focused. <br><br>The limited scope of exercises, tends to reflect the complexity, cost, or time an organisation requires to set up and conduct a full exercise, particularly if it involves an IT or network-related incident, or requires a more significant impact or disruption to the company’s operations, or staff agendas. Many exercises therefore tend to revert to simple table-top exercises of staffs ability to manage a security incident, or implement a contingency plan. This however is disingenuous in so far as it assumes that the plan is sound, and the focus of the exercise is on difficulties related to staff understanding, decision-making processes, and plan implementation, and they are less able to identify flaws in plans. <br><br>Furthermore some of the lower-probability but high-impact scenarios are not considered high priority, and invariably are not the subject of exercises at all, which alludes to weaknesses in companies’ awareness as much as preparedness. The infrequency of exercises and tests is one main symptom of this problem. With infrequent exercises, organisations are forced to focus on higher probability threats, and invariably on operational aspects of a scenario. The aim is invariably to contain an incident and ensure that the effects neither cascade, nor escalate the incident to have more strategic consequences. However the anticipation, and management of consequences are typical weakness that are not fully addressed by many table-top exercises.<br><br>Conversely it is more complex to exercise against a strategic threat, and allocate sufficient focus to testing operational elements that contribute to that threat, or scenario. This is most evident where human factors, social engineering, or malware contribute considerably to a threat, and where a vulnerability is to be tested or qualified through the use of specific risk intelligence. The term ‘Security Planning’, is increasingly an overarching term that does not transpose consistently across companies, and often incorporates contingency planning. A ‘pure’ focus on security needs to shift further towards deploying and testing the measures in place to prevent or pre-empt a crisis.<br><br>About the writer<br><br>Dan Solomon is Vice President at Security Art, and Director of the Homeland Security Program at the Atlantic Council of the United Kingdom.
