Greg Van Der Gaast's What We Call Security: An Introduction (1/7)

Welcome to this new blog series in which I will be offering a different look at storage and recovery: One from a strategic security point of view. 

The goal is not just to better explain the relevance of storage and recovery to current and aspiring Information Security leaders, but also to introduce some concepts around “Security as Quality”, what I call “Inherent Resilience”, and presenting a different approach to Risk Management to help practitioners move things forward.

The reasons being that, in order to understand and appreciate the value of new approaches, it’s important to understand the bigger picture and how things fit together.

I hope these insights also help IT Operations teams and CIOs realize additional security potential from platforms and processes they may not have thought as relevant.

So, what is “Inherent Resilience”? Well, it’s a term I’ve coined to define our ability to not get knocked down in the first place. In other words: Not reaching the point of needing recovery in the first place.

I’ve phrased it this way because in the security field “Resilience” has come to mean something closer to recovery while I think our long-term focus should be focused more on not getting breached in the first place.

And if you’re confused that a blog about storage and recovery is talking about avoiding the need to perform recovery in the first place, then hold on to your hat because we are going to discuss how to use your recovery capabilities to improve your chances of never needing to use your recovery capabilities.Intrigued? Stay tuned.

But first, an introduction. My name is Greg van der Gaast. I have 25 years of experience in information security. My first job was offered to me when I was 17 and some federal agents from the FBI and US Defense Department decided to make a house call. I won’t bore you with the details as to why, but it involved the NSA, CIA, DIA, and some nuclear weapons. I have seen hundreds of breaches and caused a few myself - once having been labelled as one of the 5 most notorious hackers in the world.

One of my biggest observations after switching sides, was why my job as the attacker was so easy, and why what most of the security industry was doing wasn’t making it much harder. As a result, I’ve always had what people considera “maverick” approach to security because I believe in doing what works, long-term, sustainably, rather than the status quo.

Over the last 15 years I’ve since built security programmes for companies ranging from hot start-ups to Fortune 500’s, lectured at universities on security strategy and leadership, advised cyber-insurance companies on due diligence(hint: quality of business processes is a far better indicator of risk than the presence of security controls), and currently assist security vendors in helping their customers get more value from their offerings.

A quick note: I am not a storage and recovery expert, but I want to take you on a journey to look at our security challenges, how I’ve tackled them, and, finally, what role storage and recovery has played for me as part of that bigger picture.

I also want to add that Hitachi Vantara, while sponsoring this series, has given me no further instructions on what to write other than helping the community at large. These are my thoughts and experiences, and I thank them for allowing meto share them with you.

But before we get started on how to develop successful security strategies and approaches and where storage and recovery fit in, we must look at the overall trends in our industry to see how things are going:

Not great, are they?

And this worrying trend is happening despite ever-increasing spending on security:

In most situations, certainly at this scale and over a period now spanning well more than a decade, investment in an overall approach is expected to have an impact in reversing or reducing what it is it’s trying to combat.

Instead, many practitioners, vendors, and experts use these figures to point out how prevalent and sophisticated attackers are, and that we must therefore double down further on our investment in “cyber.”

I have instead come to see it as a rather damning indictment of just how poor our current approach is. Dozens of times I have seen companies with millions spent on security, with NIST and ISO frameworks in place, and still be absolutely trounced by a bored teenager with a laptop.

If we had an effective and sustainable approach to reducing issues, we should be seeing trends like those in mature industries where they too are fighting to reduce the number of incidents. They identify root causes no matter where they are and address them, upstream, pre-emptively.

Take the aviation sector for example, which addresses issues as far upstream as possible regardless of how distant they seem from most people’s concept of “aviation” (Everything from engineering, metallurgy, corporate culture, drug use, the tone of alarm sounds, control ergonomics, human factors, etc.) to drive a reduction in possible failure points:

‍

‍

That is what the results of an effective approach look like.

If we found that the bolts holding the wings onto a plane’s fuselage were coming loose during flights, we wouldn’t set up a function where we employ thousands of people to retorque bolts after every flight, forever. We’d make a change to the design or manufacturing process once, then remediate what was in the field. And yet, most security work has more in common with the former than the latter.

So, what should we be doing in Information Security? It seems clear to me that a change in approach is needed. But what? And more importantly, based on what principles?

Let’s begin with some opening questions:

Have you ever considered…

·      That security vulnerabilities are defects? Whether it be in code, architecture, design, maintenance, process, or even human behaviour?

·      That, to rectify this,Security might ultimately be more effective as a business quality function?

·      Why we tend to focus on threats and protecting vulnerable applications, systems, and infrastructure, rather than on changing the business processes that lead to their vulnerability in the first place?

·      If we could drive improvements to security without having to continuously (and unsustainably)increase the scale of security operations?

·      How mature industries like automotive, manufacturing, or aviation stop issues from recurring or occurring at all? And how some of approaches could be relevant to Information Security?

·      Whether Risk Management could be simpler if we calculated backwards from business downtime, rather that the innumerable arbitrary compounding variables that might lead to that downtime?

·      How storage and recovery capabilities can allow us to shift more resource towards a strategic security approach, rather than mitigation and firefighting?

·      How recovery should be implemented to ensure reliable recovery if things do go wrong?

Over the course of this six-part series, we’ll be exploring all these questions and what they mean to improving the security posture of our organisations. We look forward to having you join us for these insights. Don’t miss it!

‍

Next article: What We Call Security: Security as Quality (2/7)