Pragmatic Cybersecurity unpublished

Pragmatic Cybersecurity unpublished

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

The mythical magical security technology solution

Security has always been an area prone to the purchase of snake-oil.   Security is viewed as a black-art by those outside of our community, a view that’s often exacerbated by commercially motivated spreading of fear, uncertainty and doubt.   Even inside the security community, few people really understand how the bad guys work. This lack of knowledge often leads to the purchase and implementation of a glut of inappropriate technology solutions that do little other than enable the purchaser to tick some relevant compliance checkboxes.  Think of the number of organisations that have stateful inspection firewalls and Intrusion Prevention Systems and then proceed to allow encrypted SSL communications with their backend systems.   For the non-techies out there, this is a problem because it means that your inspection tools cannot see inside the encrypted network packets to judge whether or not they are malicious.  Your controls are therefore blind and allowing potentially nasty traffic inside what you thought was a secure perimeter.  However, it’s likely that this is not seen as a major business issue by the board because you have likely ticked the relevant compliance check-boxes.  This is a good example of why compliance and security are, and must be recognised as, separate disciplines.

Security must be dealt with as a business issue and not relegated to a mere technology issue.   Understanding the genuine risks to your business requires an informed discussion, ideally between those who understand the risks that the business can tolerate and those who understand, and can articulate, the risks likely to be faced.  Once the risks have been identified, you can use these risks to feed into your security architecture so that you ensure that the security services you buy or implement address the risks that the business is not prepared to accept.    Technology can help to deliver these security services but it’s important to note which of the security services your technology choices can deliver and which they cannot!   A firewall is not the be-all and end-all.  Indeed, sometimes technologies can introduce new risks that were not present beforehand -   consider the example of the conflict between encryption and monitoring discussed above.   To make matters worse, it’s not as though firewalls and Intrusion Prevention Systems are foolproof in any case…  (see http://www.infosecurity-magazine.com/view/31984/ips-needs-to-become-more-aware-of-advanced-evasion-techniques/ for example).

Now, security technologies can help to deliver important security requirements, and they are critical to delivering certain security controls, but there is no magic technology that will fix all of your security issues.  If your security advisor is proposing a technology-led approach rather than a business-led approach, consider carefully whether you are chasing compliance or chasing security.  Then make an informed decision as to your best way forward.

About the author

Ian Cole
Ian Cole
Ian has been employed with Capgemini since 2006 and during this period has been assigned on a number of public and private sector projects within the various market sectors. Ian’s security interests are in information assurance/protective security; he also has a penchant for deciphering security speak to simple English targeted at a CxO level. Ian is a Security Cleared consultant with over 15 years experience in information security. He has an MSc in IT Security and is a member of CESG’s Listed Advisor Scheme (CLAS), an Associate Member of Institute of Information Security Professionals (IISP), a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA) and an ISO27001 Lead Auditor.

Leave a comment

Your email address will not be published. Required fields are marked *.