Dual Axis of Threat Awareness
Introduction
Keeping up with today’s torrent of cybersecurity breach information is a daunting task. The topic – and the alarms it rings – is deeply complex and moves at a blistering pace. If security doesn’t show up in their job description, an employee is likely to adopt an indifference that is not unlike paralysis. When the flood of information becomes too much to create a meaningful understanding, we tend toward the worst possible form of readiness – complacency.
An immediate outgrowth of complacency is reduced or non-existent “situational awareness” across the organization at large. Too often, managers’ own situational awareness leads to misperception of the scale and scope of threats. We see this manifest when those managers assign responsibility for security to technologists, (mistakenly) believing that cybersecurity is the domain of the IT department alone. This creates a silo, and reinforces other employees’ belief that they are absolved from responsibility for security.
This dynamic creates harmful momentum toward less secure organizations, and managers must to action to reverse the trend. In order to frame the problem in terms that enable a common understanding, it helps to focus on both the proximity of threats and the variety of forms they can take. By devoting special attention to so-called “situational awareness,” managers can begin to drag their organization way from complacency and toward a more active cybersecurity defense posture.
Proximity
Although most managers now understand that cyber breach is a legitimate threat, most have not fully explored how close those threats are to becoming reality. It is relatively easy to pay attention to “known” threats – attack devices and methods that have been used before. But “unknown” threats (also known as 0-day) – which cannot be tracked by threat intelligence services –cannot be spotted. These are the threats that lurk most closely, and which represent the greatest danger to an organization’s critical information.
Here we see how technology investment can lead to a false sense of security. Known threats, which are (falsely) perceived as the most proximate, have been identified and mitigated. Although this may feel like a job well done, in reality it is only the first step toward what needs to become a more advanced security program. However, the misperception of threat proximity has led to a simple and seemingly elegant solution whose primary effect is to reduce the sense of urgency that comes from awareness.
This is one example of the blind spots that can arise when security rests solely in the hands of technology. Known threats can be identified and monitored with technology solutions and a relatively small security staff. This seals off one attack vector but leaves the organization open to any unknown methods. Unknown attack vectors stand a higher chance of success because technology – where organizations focus most of the effort – is ineffective at spotting 0-day attacks.
In matters of uncertainty, we have an unfortunate tendency to “search underneath the lamp post” which yields predictable – and not terribly helpful – results. While searching in the dark may be similarly fruitless, there are steps that managers can take to significantly expand the searchable area.
Variety
Any good response begins with good preparation – cybersecurity is no exception. A cyber attack can come from vast number of directions and take many forms. The most successful attacks combine multiple “attack vectors” in order to break in. Planning a reaction against attack vectors should minimize their effectiveness. Unfortunately, this area of planning often suffers from a lack diligence, and occasionally from a lack of imagination.
As with perceived proximity, many managers tend to assume that the variety of possible attacks is largely covered by technology investments. Not only is this wrong, it ignores the fact that most attacks use a combination of tactics to gain hold – variety is built into the attack strategy. Ignoring the multitude of tools used by hackers means that most organizations are guarding the front door, but have left the back door and all the windows completely open.
Mechanisms for Perception
Managers can increase their organization’s likelihood of spotting threats by creating better mechanisms for perception – improving situational awareness. One method of identifying threats is to think about what is at risk: what assets might a bad actor want to access, and why? Thinking about threats in these terms brings the danger out of the abstract and close to reality. It turns the problem into something that everybody can understand.
Risk mangers should be deeply involved in this process – identifying sensitive or at-risk assets and rating them for their importance to the business. In turn, workers who have access to these risk-rated assets should be made aware of the threats so that they, too, can understand the reality of the risk. Once they’ve achieved an appreciation of the case for security they can be trained on how to recognize a potential threat, and the proper reporting and escalation procedures. Thee activities build on one another and contribute to a broad organizational awareness that can be adaptive and resilient in the face of a security breach.
Cultivating Awareness
Awareness goes hand in hand with collaboration. Workers must know their roles, and have visibility on those with whom they share responsibility. Managers must define all the stakeholders in this equation. This means not just the office of the CISO, but risk management, IT operations, procurement, human resources, audit and compliance, and legal teams. Leaders should seek opportunities to help these stakeholders collaborate and gain an understanding of one another’s roles.
Executives will want to build such a program using established, recognized security practices. But these are often the domain of security technologists and unapproachable to non-tech employees. Because of this it is critical that management employ a framework that is sufficiently inclusive as to make clear the various roles who should be involved in implementation. When this is the case, security roles and responsibilities can become a measured and incentivized component of job descriptions. Awareness, then, becomes a part of each employee’s job, and can be tested, assessed, and improved over time.
The NIST Cybersecurity framework (published in February 2014 by Executive Order) offers broad, high-level guidance focused on risks rather than threats. A complementary framework from the Department of Energy delivers actionable recommendations that align with NIST and can be assigned within an organization. Neither of these frameworks is compliance-driven, instead offering an opportunity to put organization’s on a positive course toward improved cybersecurity maturity.
Our Cybergovernance Maturity Oversight Model (CMOM) uses a blend of these two frameworks to evaluate a firm’s security posture and help map a course forward toward greater situational awareness.