Do you still believe a properly planned firewall is a cornerstone to your cybersecurity?
What else do you believe to be important?
- Web filtering and monitoring
- Well managed access rights
- Identity management
- Privileged access management
- Network security
- Security event correlation and analysis
- Security operation centre
- A team of security analysts
- Up-to-date systems
- Backup strategy
- Disaster recovery plan
Here’s a clue, none of that matters if you haven’t laid a proper foundation.
You have to take a step back. Go back to what it is you are protecting. The idea is that you are not protecting servers; you are not protecting switches or even networks. The sole reason for the existence of cybersecurity is to protect data. Even if you say that you are protecting identities so that hackers will not come into your network, in the end, what the hackers are targeting is your data.
All those fantastic technologies serve only one purpose, to protect your data.
Data at the core
From that standpoint, this has to be the starting point of any cybersecurity strategy. Consider it for a second, what is being stolen in any cyberattack or breach: Data. As everyone now says: Data is the new gold.
How do you protect data now that it is everywhere? Users are working outside of your network, and you no longer have control over the perimeter? Those are the right questions. That is why it must become core to your cybersecurity strategy.
Lay the foundation
So let’s build from there. First, you need to know what your assets are. As I mentioned to my customer, there is no need to protect an intern playlist with Fort Knox-level security. It wastes time, capital, and the worst hidden cost: it will complexify any recovery effort.
An effort in data and system classification must be your first step. You must be able to tag what to protect, how critical is this data. I recommend that you keep it simple, 3-4 levels deep, no more. It has to be easily manageable for your entire users’ community. After all, they will be the ones using it.
This first step will provide you with classified data and allow you to know which data you need to protect and, at the same time, define which data you need to restore first.
The next step is to map the dependencies of the systems required to execute and access this data. There is no point in having recovered all this data if no one in the company can access it. That would not be operationally sound. You have to always keep in mind what is the reason behind this entire strategy.
Concepts from the dark ages are the best
Do you know the concept of defense stratification and enclaves? I know it dates back a bit, but it is still a very current concept. Let us review it if you don’t mind.
If you are examining Middle Ages war fortifications, you will find multiple layers of defences. All these protections are to discourage the enemy from starting an attack in the first place. Limiting attacks is why you can have so many castles surrounded by water, with retractable bridges and gates. Those are only the first layers, and there are many more. The enemies could burn down the entire village, and its people would survive.
If we bring these models back today, you want all your important data (the villagers and the nobility) to be saved. You don’t want any of them to fall to the enemy. Hence, you must layer your defences to ensure that you won’t be breached.
In the end, your opponent must see that the efforts required to breach you are too high. The profit must be outweighed by the efforts required.
Especially when coupled with new ideas
The latest concepts in cybersecurity bring this foundation to a whole new level. Once your foundation is solid, you can set policies that encrypt data based on the type. Once you deploy those rules in your environment, it becomes useless even if the data gets out.
The only valid data in your environment is a powerful ally, but not the only one. Many more are available once your foundation is solid.
But I have already invested so much…
I can hear you. You have bought all those great technologies, created all those teams to keep you secure. Cybersecurity is not a fixed game; it is more akin to an infinite game. You must work at it every day, and hackers do not take days off.
Consider this new approach as another layer that you can add to make your fort even safer. This layer will allow you to better focus your investments and efforts. This information is only a focus lens; it does not mean that you have to burn down everything and start over.
Create a plan and improve on it
Unlike building architecture, technology is subject to an iterative approach. The ideal plan must live within your organization, and your teams must evolve it. It must follow a results-oriented approach rather than a fixed approach.
Want to become data-oriented? What is required?
- Create a data and system classification initiative
- Capture the various elements of your current cybersecurity architecture
- Create a plan that will convert your policies to adapt to data classification
- Masters the recurring costs of each solution
- Evaluate each solution for the enclave model. Does it make your data harder to extract?
- Implement the new cybersecurity models where data can protect itself;
- Ensure that your user community is aware and trained on the latest models. They will be the ones ensuring its effectiveness.
These steps will help you create a data-centred approach to cybersecurity.
Technology, while being a fantastic tool, cannot dictate what needs to be secured. It only tells us how we secure it. The first steps remain, what are you securing? And no, I do not believe that every piece of data has the same value.
Be mindful of the quality and criticality of your data when creating your strategy. All may depend on it.
Have a great week.