Photo Credit: gwilmore (I HATE THE NEW LAYOUT!) via Compfight cc
Over the past two decades, one thing that has continually struck me is the number of people and organisations who see cyber (or even information) security as being a reactive issue. For a number of reasons (many discussed more widely on the SRM Blog (http://smartcompliance.blogspot.co.uk)), cyber operations are often seen as an area where someone else holds the initiative.
Recently, this has been clear in a number of situations where my team and I have been privileged to assist clients responding to cyber and payment card security breaches, many of which really could have been avoided or reduced given a slightly more proactive posture by the victims.
I wonder whether this has inadvertently been exacerbated by much of the recent debate over various measures taken to implement strategic initiatives such as the UK National Cyber Security strategy (2011). There is much debate about the offensive aspects of Cyber Operations, focusing largely on the work of our intelligence agencies. The whole concept of an active defence appears to have been masked, and with it our own individual and collective responsibilities for action.
Every person and organisation can and should take a proactive role in securing their infrastructure. Whether through technology, process or through common sense, we can all take an active role. By stepping forward and shaping our own environment, we are also shaping the environment in which an attacker is forced to operate. If we think proactively about this we can dramatically increase our resilience and make ourselves less palatable targets for potential attackers.
The ways we can do this are widespread and range from the simple security staples such as having a sensible approach to passwords, keeping security software up to date and applying patches promptly to more involved approaches such as designing our system architectures so as to make them difficult to exploit covertly. Whatever we do – it must be consistent with our context and the information we are protecting. The implication here is that we must take the time to actually understanding what we are protecting – probably the first step whether we are a private individual or a multinational company.
But what does this have to do with dancing? For me, it is a question of posture. Like many people, I have been seduced by the television dance programme Strictly come Dancing over recent months and have been struck by the importance of what the judges call attack. Attack in the context of dance is about posture and approach as much as anything else. For me, this was particularly clear when couples dancing the Tango were able to exhibit a combination of control and attack to take command of the dance floor. For me – it seemed that the couples who did it well managed to seize the initiative and control the dance in a similar way to companies who grasp the nettle and take control of the their information risk picture.
My wife and I went to Brazil on our Honeymoon and one night we went to a small and smokey night club in Rio de Janiero. It wasn’t a tourist spot (we had been sent there by a local) and there was a particular couple who I will remember for many years. A little wizened old man – who must have been in his 70s and a rather glamorous lady (who may have been his granddaughter!). They were dancing what looked to me like a Tango and exuded an aura of control and effortless elegance that made me very happy to stay seated at our table!
Most Information Security consultants know how vital an organisation’s culture and posture are in determining the effectiveness of its security profile. There are organisations who step forward and engage – who attack – and those who don’t. This doesn’t necessarily mean they indulge in offensive cyber operations – but it means they step forward and take control their environment. Successful organisations seize the initiative and by doing so they dictate the rhythm to which everyone operating within their environment has to dance.
For me – I get the same feeling watching a company getting it right as I feel when watching a couple dancing a really good tango.