Where it all began
In the 1980s a new age of technology was dawning, as personal computers started to move from laboratories and specialist engineering uses to something that was available to the general public. Since then we’ve seen both positive and malicious uses for technology grow at an exponential rate. Initially security wasn’t something that was really considered in development. It was an exciting new world where the possibilities were endless, including the idea of creating self-replicating code, something that was seen more about proving a concept than anything malicious. By the late 1980s code was being written with the intent of bringing down networks and impacting the ability of organisations to effectively operate, and Anti-Virus software was born.
Initially it seemed like AV and Firewalls were the solution – protect the perimeter, detect and destroy anything that gets past the firewall, nothing to be worried about. However over time it became clear that there needed to be some sort of standard built. Government’s started developing standards that systems built for their use had to comply with – NIST put out its first mandated standard in 2005, the Australian Government put out the ISM in 1996. The development of standards reflected the overall approach in the early 2000s. If we were going to get people to take security seriously we would have to create regulations, standards, and frameworks for them to comply with, and have a big stick approach to force them to comply.
This mindset led to the development of many different frameworks, and the adoption of existing frameworks more broadly. Many contracts now require that service providers are compliant with ISO27k, ISM, Essential 8, SOC, NIST and others. Various industry specific frameworks have been developed and compliance mandated. This has raised the baseline of expected security across all industries, and has created a yardstick to measure what the expectations within any given organisation should be.
The impact of the real world
The world has changed drastically since the early 2000s. Instead of the conversation being “how do we get the executive to care”, it has become “how do we reassure our board that we’re not going to be the next major breach”. There is a desire to be secure, but a lack of understanding of what secure looks like. Most organisations turn to the compliance standards, and believe that the badge of ‘compliant’ or ‘certified’ means they are safe from a cyber attack. Unfortunately this often ends with complacence.The nature of these standards is that they list a lot of requirements, most of which take so long to update that they can’t keep pace with the fast pace of technology changes. Compliance with the standards is generally only looked at periodically when a recertification is due, which provides a point-in-time view of the security of the organisation without considering the ongoing requirements. The driver behind compliance is to tick a box, and often little thought is put into how the intent of these compliance activities will be baked into how the organisation operates on an ongoing basis. In addition, the standards and regulations are written to try and provide a ‘one size fits all’ security framework, and in reality every organisation has different threats, vulnerabilities, and risk appetite. If applied purely based on the letter of the law, complete compliance with any given standard or regulation may not actually result in an organisation meeting its security requirements in any practical way.
More than a tick in the box
So how do we reassure the board, gain a certification or similar to give our customers confidence that we are secure, and also implement genuine security measures that protect our organisation? The key is to look at the intent of the compliance requirements, and build them into the way we work, not just conduct a point in time assessment when the compliance audit is due, and then put it away until the next audit is due. There are several tools in our toolbox that assist with achieving this.
- Continuous Security Monitoring – an ongoing process of observing, analysing, and reporting on security-related events and vulnerabilities within an organisation’s network or information systems. It provides real-time detection and response capabilities, which allows breaches and vulnerabilities to be responded to immediately, reducing the risk to systems and information; allows proactive security risk management by identifying threats and vulnerabilities before they are exploited; and maintains continuous compliance, reducing the risk of fines, penalties, or legal actions. Monitoring should cover threat detection and analysis, vulnerability management, access control management, incident response planning and testing, security awareness training, and compliance monitoring.
- Comprehensive Security Awareness Activities – Employees are often the weakest link in an organisation’s security posture. Security awareness activities should be provided to all employees to ensure they are aware of the risks and threats facing the organisation and how to identify and report suspicious activity. These should consist of a wide variety of activities to build security behaviours into the culture of the organisation.
- Exercising the Incident Response Plan – Much like having regular fire drills, the Cyber Security Incident Response Plan (CSIRP) should be regularly exercised to provide an opportunity to test and improve the effectiveness of the plan in detecting, responding to, and recovering from cyber incidents. These exercises help identify gaps in the CSIRP, improve response time, enhance staff skills, test technology and tools, and assess the effectiveness of the CSIRP. Regular CSIRP exercises are essential to ensure that the organisation is well prepared to respond effectively to real-world cyber incidents and to continuously improve its overall security posture.
If all of these activities are undertaken and reported on continuously then the organisation is prepared for any point in time audit without requiring any additional resourcing at the time of the audit. More importantly, the intent of the standards and regulations will be met, and the organisation will be making all reasonable steps to maintain the confidentiality, integrity and availability of their information and systems.