If Preventing a Cybersecurity Attack is Impossible…

Author

Steve Banker, Contributor

March 3, 2015

The day after ARC’s forum ended, I ran into my colleague Sid Snitkin in the Orlando airport.  Sid had put together the track on cybersecurity and he is also doing consulting in this area.  We ended up discussing this topic.

One of the things I had noticed on the cybersecurity track is how experts are focused on building detailed models to analyze every potential way that a company’s IT systems could be breached.  Yet breaches of sophisticated IT systems in major companies like Target, Sony, Anthem, and the U.S. government still occur and impact hundreds of millions of people with the compromise of their credit card and personal information.

These attacks exploited the complexity of IT systems and human nature.  In the case of Target, a weak link in the corporate HVAC system opened a pathway to all of the stores credit card systems.

In other cases, attackers gained access by tricking employees into opening infected emails.   While seemingly preventable, Sid explained that today’s cyber criminals are using “spear phishing” techniques that harvest information from social sites to tailor emails that can trick even the most cautious employees.   Spear phishing is often done by organized gangs and nation states to extract specific information.  Their resources are unlimited and Sid doubts whether any large organization could ever hope to safely resist a focused spear phishing attack.

In short, the sheer complexity of IT systems and human nature means that intrusions may be all but certain for every organization.  So instead of believing that the goal of cyber security is to prevent all intrusions, which is impossible, risk mitigation needs to become part of every company’s strategy.

This is where the cybersecurity world can apply some of the learnings of supply chain management.  Early efforts focused on planning, but experience taught us that agility in supply chain execution was just as important.  Smart supply chain organizations understand the risks of unexpected events and have plans in place to mitigate to these risks.   For example, a large company might look to their network of warehouses and understand that all those warehouses cannot be made secure in all eventualities. Floods, tornados, hurricanes, strikes, blizzards, and many other possible events could knock a warehouse off line.  In this case, the goal is to have a detailed plan in place for who will do what in case a particular warehouse goes down.  These contingency plans can run to hundreds of pages in length.

The same thought process can and should be applied to IT breaches.  However, there are some critical differences.  If your warehouse has been destroyed by a tornado, you know that.  In contrast, IT breaches often go undetected for weeks or even months.  So one thing the cybersecurity risk management team has to do is to develop strategies for detecting these breaches as early as possible.  The short lifecycle of software also creates unique problems.  New software creates a constant stream of new risks that must be considered and addressed.  Sid did not have time to explain to me how these challenges could be addressed.  I suspect it is easier said than done.

In conclusion, cyber security strategies are often described as needing to be multilayered.  One of those layers needs to have the look and feel of the kind of contingency plans for fast response teams that supply chain risk management groups put together.

This article was written by Steve Banker from Forbes and was legally licensed through the NewsCred publisher network.

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter