Given all the years that companies and federal and state governments have been investing aggressively to improve cybersecurity, you might think by now they would have a well-executed cyber architecture and security strategies firmly in place. The sad fact, however, is that many organizations have yet to accomplish this -- or they have temporarily but subsequently fail to keep pace with change and now need to recast their work.
Why is enterprise cyber architecture and a solid security strategy so important?
Consider, for example, the security status of a building with 20 exterior doors, of which 19 are locked. Would you be 95% secure? The answer is no. The building would have zero security because most prospective intruders would know enough to find the unlocked door.
The upshot is this: the application of consistent security policies across corporations, now lagging, is essential. And this involves much more than simply securing all software interfaces. Adequate security involves people, process, information and technology, as well as the need to recognize and respond to change, including the adoption of better technologies.
Good Security Includes Cost Efficiencies
Good enterprise architecture also requires the means to align security implementation with enterprise wide strategic objectives and business operations. So costs and efficiencies must be embraced.
Companies, in effect, must think like insurance or credit card companies – i.e., they must analyze known risks and calculate the average cost of threats. Insurance companies set premiums high enough to cover losses on average, but not so high as to make them uncompetitive. Credit card companies spend money to combat fraud, but cap the amount in a bid to balance cost with reward. Similarly, companies need security budgets big enough to cover most, but not all, of their threats. That would be prohibitively expensive and potentially render the business non-competitive.
In short, companies must make intelligent cyber investment bets, bearing in mind a fundamental axiom of security that risk can never be driven to zero.
Risk Tolerance and Budgets Must be in Sync
In many organizations, the tolerance for risk and the budget for security are not in balance because the balance differs in different departments. Businesses must take several steps to plan and implement a sound and balanced enterprise wide cyber architecture and security strategy.
Essential measures include these necessities:
- Select and follow relevant standards to drive a good cybersecurity posture, such as the NIST Cybersecurity Framework, ISO 27001 or, for select industries, HIPAA. This helps reduce the learning curve and leverages best practices without the need to reinvent the wheel.
- Make a point of tailoring and customizing the security architecture and cybersecurity risk management process based upon the specific threats and vulnerabilities faced by your organization. The NSA, for example, has developed a model that provides 21 areas in which organizations need to tailor to their specific environment to develop the best possible cybersecurity risk posture.
- To avoid getting overwhelmed by the sheer volume of attacks, go beyond logging, monitoring and alerting to also focus on proactive threat hunting. Security operations, automation, analytics and incident response must be woven into an integrated platform. And make sure that automation is not merely a “bolt-on” that slows the entire production process.
- Increase your cyber visibility by trying to tear things down in search of possible vulnerabilities. This way, you’re not merely relying on the “security hardening work” you have done but are regularly working to improve things. This also makes it easier to find a breach when it occurs.
- Substantially improve management of third-party risk, which is growing as companies continue to outsource. Current approaches to the problem, such as audits and penetration tests, are helpful but usually provide only a fleeting snapshot of security risk. To proactively mitigate risk, organizations need automated tools to continuously measures and monitor third-party security performance.
- Welcome the CISO to the C-suite. Because cybersecurity and compliance are serious business issues, it’s imperative that a corporation have a CISO empowered with adequate authority, funding and a clear mission to proactively keep systems and data safe.
- Lastly, be attuned to advances in cybersecurity that perhaps should be adopted by your organization. One case in point is homomorphic encryption (HE), which is a technique used to work on encrypted data without decrypting it and is in use for select functions by some government entries and corporations to limit the infiltration of secure networks and combat offensive techniques used by nation-states. This could also enable companies, for instance, to encrypt their cloud-based databases and work on them without converting records back to plaintext.
New Technologies like Homomorphic Encryption are Important
So-called fully homomorphic encryption (FHE), which entails almost everything from soup to nuts, has yet to be fully developed. But, as noted, important HE pieces have been put into play and significant advances are being made in the evolution of a technology that stretches back decades.
For many years, HE’s mathematical computations slowed system performance to a crawl. While greater speed is still needed, there has been substantial improvement. Last year, for example, IBM, among the pioneers in HE, rewrote its C++ HE encryption library and claims it now runs up to 75 times faster. And Enveil, a Maryland startup staffed by a former NSA HE team, has broken performance barriers required to produce a commercially viable version of HE, benchmarking millions of times faster than IBM in tests.
In experiments, HE has enabled Google to successfully analyze encrypted data about who clicked on an advertisement in combination with another encrypted multi-company data set with credit card purchase records. As a result, Google was able to provide reports to advertisers summarizing the relationship between the two databases to conclude, for example, that five percent of the people who clicked on an advertised product wound up purchasing it in a store.
While HE will not make sense for all applications today and requires improvement for many uses, it already brings considerable benefit to applications requiring the processing of highly confidential information. As the technology continues to evolve, HE’s ability to secure data while in use is an example of disruptive innovation that companies need to watch carefully. Sophisticated hackers never stop evolving and improving. This means their prospective victims cannot stop evolving and improving, either.
By: Bob Ackerman
Featured in RSA Blog.