Security Have and Have-Nots
Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security.
Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it?
I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.”
It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line.
The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment.
One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate.
Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face.
Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management.
How Much Information Security is Enough?
With such a seemingly endless laundry list of things to consider in the security world, the question on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a hard number, you’ll be disappointed. Because the threats and challenges present in the cyber world represent a moving target.
But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently.
One way to look at this could be through the lens of finite and infinite games, as coined by James Carse in his 1986 book of the same name.
The idea is that there are two kinds of games, finite, and infinite games. Finite games are those which have rules such as number of participants, boundaries, time duration, and so forth. After a certain period of time, a winner is declared in accordance with the agreed upon rules.
If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration and turn into precisely how urban dictionary describes Infosec.
Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to always be in a position to continue the game.
Continuing The Game
Asking companies to continue the game when resources are scarce and they’re living on the security poverty line. But once you understand the game, the players, the pieces, and the moves, it becomes easier to plan your strategy. For that, it’s useful to consider the following points.
Having the right people can be the difference between making it or not. It doesn’t necessarily mean hiring an entire security department. Sometimes, all it needs is a consultant to help provide guidance and steer towards best security practices to ensure security is built right from the beginning.
IT security technologies have come a long way in the last decade. While the constant news cycle may feel like things are getting worse, we actually see more attacks that focus on attacking humans through phishing, or compromises through third parties.
Therefore, it makes sense to invest broadly in technologies that offer a broader set of capabilities. These can be more affordable, not just to buy, but to maintain on an ongoing basis.
In today’s age of the cloud and service providers, in many cases it doesn’t make sense to keep everything in-house. Securing the services of a reputable MSSP can take away the need to run your own security operation centre. Or having a PR agency on a retainer can help smooth over any incidents that need reporting.
Finally, where risk can’t be mitigated or accepted, consider transferring it to an insurance provider. Not only can insurance help alleviate the financial cost of a breach, but it can a long way in demonstrating to customers, shareholders, or partners that insurance was part of a broad cyber security plan to keep data secure.