You don’t have to outrun the bear…

Bear Photo by Janko Ferlič on Unsplash
Photo by Janko Ferlič on Unsplash

 

You just have to outrun the other guy.

 

Unfortunately, there is no absolute for security.  There are sufficient unknowns and changes in the world of cybersecurity such as to make a state of ‘completely safe’ impossible.  The greatest security in the world is still vulnerable under certain conditions, however unlikely they might be.  Conversely, we don’t have a reliable measure of absolute insecurity.  Measures like the ISC survival time measurements provide some indication (https://isc.sans.edu/survivaltime.html), but in the real-world there are still variables that can alter the likelihood or severity of compromise for any system, even those with no deliberate security measures. Without absolute security to use as a standard, we are left with a problem when assessing our security. A system cannot be tested to be 50% secure or 99% secure if we do not know what 100% secure or 0% secure is.

All is not lost, but without an absolute as a point of reference we are forced to rely on relative assessments of security.  We can for example, measure our security posture relative to probabilities, we might calculate the likelihood of a type of attack and match our defence activities against that probability.  This provides us with a good method for developing strategy but our understanding of possibility and probability is limited by our experience and imagination. This is less of a solid calculus and more of a somewhat educated guess.

We could assess our status relative to a set of standards or guidelines but that provides a comparison with an invented and fixed minimum or maximum. This may not allow a company to keep pace with developments in the field, strive for excellence in any area or even prioritize issues based on their importance. Rules and regulations have their place, but they serve best when they formalize common and recognized best practices, rather than dictate them.

You just have to outrun the other guy.

An alternative relative measure would be to measure ourselves against others. Comparing our security practices to other people in our industry would let us know if we were more or less secure.  To be practical, we might rate our defence against the average measures in place by those in our industry.  This would not only provide us with a measure of our security status, but also inform our practices. This method provides a course but more concrete evaluation of our security to inform strategy.  A security team would be able to clearly communicate to management the areas where security practices are better than the average and highlight places where it is below average. For some of the more fundamental but less glossy aspects of security (e.g. inventory management, auditing) this could help direct resources to important security functions that might otherwise not be prioritized.

It also provides benefits for security across the industry.  A shared understanding of common security practices would likely lead to a basic body of common practice shared by all.

This could help us more rapidly scale up security teams if needed, as security personal across the industry would have a shared understanding of fundamental practices reducing the time required for site specific training.

For us to be able to apply this measure requires the answers to three questions:

  • “What cybersecurity practices are everyone else doing?”
  • “What cybersecurity practices are we doing?”
  • “Are our practices better than what most people are doing?”

An answer to the first question is crucial.  There is little available information on what organizations are actually doing or what they think about those practices. Attending conferences and discussing measures with industry peers is helpful to an extent, but it still limits our ability to understand security to a limited context.

We have created a survey to help answer this question and provide knowledge to the community to help organizations to better understand their posture and inform decisions.  With enough responses we will be able to provide a snapshot of the common cybersecurity practices and a baseline for comparison.  We will further enrich this information by providing analytical insight by comparison of these practices with known successful attack methodologies to provide a check and balance where common practices conflict.

We very much hope that your investment of a few minutes to complete the anonymous survey will save you a great deal of time in the future through better informed decisions.

 

Cybersecuritysurvey.org

The Serene-Risc Smart Cybersecurity Network has developed, in collaboration with our security researcher Masarah Paquet-Clouston, a survey on the perceptions and practices of information security professionals. The survey is completely anonymous and the results will be made available to everyone in the community.