This article is the result of a dialectical confrontation with a customer who needed to integrate "Cyber Security" services among the activities he was already offering.
This pleasant meeting has generated some reflections that may be useful to better frame the approach to take, whether you want to do business in this area, or you just want to strengthen their IT departments.
I am extremely convinced that using the correct terms is necessary to present oneself in a serious and authoritative manner to one's interlocutors. I would therefore like to begin this article by clarifying, right from the start, the difference between two words that are often used interchangeably (too much), but which nevertheless present significant differences, from which derive specific consequences, both technical and conceptual: Cyber Security e Information/IT Security.1
The "Cyber Security"It deals with the security of "things", which can be vulnerable through Information and Communications Technology (ICT), considering also the places where data are stored and the technologies adopted to protect them.
When we talk about "Information Security"The focus is on information protection, whose general objectives are summarized by the famous CIA triad: confidentiality, integrity and availability of information. Information security is therefore the set of means and technologies aimed at protecting information systems in terms of availability, confidentiality and integrity of information assets.
With "Information Security", we will therefore talk about all and only those aspects closely related to information technology, without going outside the physical reality, remaining confined to the binary world composed of bits.2
Cyber Security deals with protection of all things (virtual and physical) that are even only tangentially touched by information technologies (e.g.: traffic light systems, car control units ... and more generally: the humans)
Cyber Security and Information Security in the company
Each company starts from different points, each has its own distinct history: there are those who have been on the market for dozens of years, and those who are promising start-ups. But even among companies with a comparable time factor of experience, there will inevitably be different experiences, both in terms of mental approach and of customers to whom you have placed yourself in all the years of activity.3
A winning approach is instead made up of a set of people and processes capable of providing real, long-lasting added value. In fact, it is necessary to create a dynamic and culturally satisfying company context, made up of close-knit people, on a constant path of professional growth and with a 360° vision. To do this, you have to market yourself with what I call "3x4D method"That is, the ability to make the two components one's own by combining them:
Three of the most important aspects that define in unison a system of strongly interconnected three-dimensional axes are: People, Process, Technology.
These three aspects define the internal perspective of a company that aims to create a business scenario based mainly on people e processeswhere the technology (third-party or internally created) will certainly have a strategic importance, but only if it is designed in function of the other two directives!
A good cybersecurity practice should be structured and built around people and processes, supported by technology.
But of course, many cybersecurity practices have been developed in reverse, deciding to "jump" to the first technological solution from time to time that an unmanaged need arose for which one had to run for cover in order to meet the customer's needs. In and of itself, this practice would not be completely wrong, since when faced with a compelling need to be managed, it is justifiable to rush to the rescue. It is blameworthy to make the decision resulting from an unforeseen and hastily managed situation as the ultimate solution on which to base one's business.
Two should be the notes to this behavior:
- Provide a process for dealing with the unmanaged emergency. Such as having a network of in-house consultants or researchers who can offer valuable advice
- provide for a post-emergency process, to solidify what has been done or to find the most suitable solutions to manage similar situations in the future.
The immobility of the status quo is inconceivable! It cannot be followed up. Focusing only on short-term successes will only generate quick and ephemeral "victories" capable of proliferating only mediocre products generated by the emergency, with the relative risk of suffocating the entire business, depriving it of investments of true value.
Investing in "occasional" products, or in the wake of the fashions and advertisements of the contemporary historical period, will do nothing but distance you from the real level of maturity and security that a certain economic investment could have proportionally brought if, instead of being used in sterile (and ephemeral) technologies, it had been used for more thoughtful investments capable of: enhancing people, improving processes and, therefore, lead to more prudent technological choices and lowered in the specific reality both technical and human.
Therefore, it will be fundamental to invest on one's own reality, in order to generate an internal structure able to lead, in a mixture between people and business processes, to a well-established business system able to form competent, reactive, informed figures with a wide vision on the various problems, both direct and surrounding.
Once a strong and organic base is established, the technological investment will be almost automatic, relying not only on third party technologies, but also - and above all - on internal ones. At this point it should be clear that the IT security process should be in continuous evolution, able to dynamically adapt to the surrounding environment without ever settling on specific products.
In order to evolve, you need fertilizer, and, in this sector, the best fertilizer for growing precious and nutritious fruits is constant training, together with continuous adaptation and internal improvement by adopting the mechanisms of the famous Deming cycle in an agile and dynamic context.
Four dimensional approach
The security lifecycle consists of four points (although it is often referred to as a triad in the literature):
- Prevention: ability to prevent attacks by proposing solutions to improve infrastructures on the basis of objective assessments.
- Detection: ability to verify in real time or in advance what is happening, so as to foresee with a wide margin the onset of criticalities
- Respond: ability to cope with an ongoing attack with prompt response to the cyber incident and associated mitigation strategies.
since perfection is not of this world, also the security can never be 100%, therefore it is always necessary to foresee an attack also in front of the most sophisticated techniques and technologies put in field
- Recovery: Post-attack phase that can include both the investigation of the causes of the computer damage occurred (Incident Response + Digital Forensics), and the ability to provide service to put the infrastructure back on the road in a corrective perspective to avoid the recurrence of the incident.4
In the 3x4D perspective exposed in front, each of the three aspects proposed in the previous three-dimensional approach (People, Process, Technology), must always be present in each of the four phases just proposed (Prevention, Detection, Respond, Recovery).
In each of the four phases between "Prevention, Detection, Respond and Recovery", the same dynamics will be proposed again, which will see people and processes at the forefront, and technology being a secondary player only if related to them.
To provide an overall vision of a security-oriented business, we will now try to give an overview (certainly not exhaustive) of the various services that a company aiming to enter the Cyber Security market should be able to offer. Here then that each of the four points mentioned above, will be able to express a range of possibilities, each with its own specific business, but that if combined together, will be able to organically cover the entire cycle of information security.
- Security Assessment
- Policy Auditing
- Ethical Hacking
- SIEM + SOC
- Proactive Security
- Log Analysis
- OSINT (Open Source INTelligence)
- Support activities for customers subject to cyber attacks
- Incident Response
- procedures followed and monitored alongside the customer in the event of an IT incident
- Digital Forensics
- final advice to mitigate the damage
- securing → starting again from the Prevention point and therefore being able to restart the cycle
From a business perspective It is certainly important to confirm one's reputation in order to keep the circle of customers solid, but the ability to acquire new ones so that they can be included in the cycle just presented is just as crucial.
In this regard and by way of example: one of the strategic phases useful for the acquisition of new customers will be the Respond phase, declined in the support to the customer subject to cyber attacks. The company that finds itself in front of an emergency, lacking the necessary tools and skills to manage it, or technological partners able to support it, can turn "to us" to find ready support for the contingent need.
Once given a prompt answer and relative resolution to the information security incident, it will be possible to propose to the customer to be part of the four-phase security cycle previously exposed, so as to be able to offer him 360° services in view of Cyber Security. The objective will obviously be to avoid that similar problems can be repeated in the future.
In order to create a reality with real added value, it will therefore be important to approach and manage the human side and the study of processes as a priority, avoiding as a first approach that of focusing vertically on specific products.
This is because products change, and no matter how much people become attached to them, they will never be something truly their own. Instead, processes and people will remain the real point of value, the beating hearts of the company that, if well started and nourished, together will be able to generate new internal technologies to be developed and integrated.5