Subscribe

Defence strategy refresh needed

Bonnie Tubbs
By Bonnie Tubbs, ITWeb telecoms editor.
Johannesburg, 07 May 2013
Defence is a mix of art and science and doing the right thing does not necessarily guarantee success, says security architect Marinus van Aswegen.
Defence is a mix of art and science and doing the right thing does not necessarily guarantee success, says security architect Marinus van Aswegen.

Amid a sea of evolving cyber security threats, it is time for enterprises to rethink their defence strategies.

So says security architect and founder of Telic Consulting Marinus van Aswegen, who points out that, despite best efforts by firms with superior resources, there exist a number of unworkable strategies.

"It's not about fear mongering, but rather introspection," says van Aswegen, adding that there really is no silver bullet when it comes to selecting the right strategy. Sometimes, he says, the most effective strategy is one that is built up over time. He says it boils down to "keeping the bad guys out and far away", but this is not done overnight, or without inevitable holes.

"There are just so many layers that we cannot always understand all the levels [of threats] and so, despite our best efforts and resources - we are actually losing."

In terms of how enterprises respond to this reality, van Aswegen says: "[We respond] typically in the way we know best."

While there is not a lot that can be done about what is outside an organisation, says van Aswegen, what is inside is in the organisation's control - "and we could be doing a lot more".

While various studies have been carried out to identify types of breaches, where they come from and how to avert them, van Aswegen points out that information systems are relatively new - and as such there are no historical analogues.

He says complexity is the enemy of security, but it is not possible for one person in an organisation to understand all the intricate layers and how these pose a specific risk.

"There are lots of contributing factors to a company's vulnerability. Some are in our power, and some are not. You need to accept that failure is part of the equation, says van Aswegen. "Failure is sometimes an option, provided you have redundancy."

The bottom line, he says, is that existing strategies are by and large not working.

Defence strategy guidelines

Here are eight factors enterprises should bear in mind when reviewing defence strategy, according to van Aswegen:

1. You need to define your own strategies.

2. Learn from others, find what works for you.

3. Embrace change.

4. Articulate your goals/objectives.

5. Accept that you may fail, and plan accordingly.

6. Without intelligence and visibility, you cannot change tactics/strategies.

7. Understand the strengths and weaknesses of your strategies.

8. There will be unintended consequences.

Van Aswegen concludes by citing an excerpt from Verizon's 2013 Data Breach Investigations Report: "Some organisations will be a target regardless of what they do, but most become a target because of what they do (or don't do). If your organisation is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go."

Share