The New Cyber-Security Disease: Technology Over-Reliance

January 2016

Cyber security is a controversial field. Control frameworks, standards and good practice guidance; all point to similar matters from a perspective and describe sets of security controls, requirements, architectures or specifications. Regardless of the variety and wealth of material, they all sit on only a few key pillars;
  • know your information systems (asset management), 
  • manage access to them (access control),
  • prevent unauthorized disclosure (encryption, boundary defense, malware defense, secure design, etc.),
  • be prepared and informed if something goes wrong (testing, monitoring, threat intelligence, incident response, etc.).
Technology promise very much about delivering these capabilities with tons of fancy products out there. It is usually impressive and entertaining to inspect them in industry events, vendor demonstrations or proof of concept works. Nevertheless, integrating and running them within the existing IT landscape is often overlooked from the beginning.

It all starts with the unfortunate fate of today's cyber security professional; there is no greenfield IT environment. In a typical IT estate, there are many legacy systems, fragmented processes and controls built over a long period of time. Deploying a new security technology is rarely a plug and play activity and benefits can easily be undermined when integration and operation is not well designed within the existing IT ecosystem. This is a typical situation that ends up with technology stacks either ineffective to deliver intended capabilities or inefficient to operate.

Reasons of suboptimal deployments are mostly due to;
  • Bottom-up design; solution is purely driven by technology and may deviate from addressing a real business concern in an effective and efficient manner.
  • Siloed technology products with isolated or broken operational processes & functions.
  • Overlooked constraints of business & IT for build & run phases. This could be organisational or technical such as weak capabilities for integration and operation (although many vendors offer help, security technologies require customization and integration work that requires very good understanding of the existing IT landscape).
  • Incorrect priorities for capability deployment (e.g. investing in a threat intelligence technology before doing basic security hygiene).
Finally, some guidance to address these issues as per the same order as above;
  • Although it is always good to know what is out there in the technology market, validate prospective services by driving the IT / security capability design with a "top-down" approach, i.e., business concerns > business requirements > technology requirements > technology solution.
  • Build and maintain technology agnostic end-to-end security architecture incorporating the key pillars described at the beginning of this article. Form architectural building blocks and their relations within a holistic methodology (such as TOGAF or SABSA).
  • Make sure capability design involves and coordinates the whole life cycle (delivery, operation). Identify and engage operational stakeholders at early phases (from conceptual design). Identify and evaluate impact of changes to the existing architecture (TOGAF Implementation Factor Assessment and Deduction Matrix can be used as a technique here).
  • Obviously, identify priorities for desired cyber security capabilities (not technologies) based on need / risk analysis. Have a road map as per target security architecture and plan investments accordingly. See SANS 20 critical security controls for basic hygiene.
All of this is about building technology agnostic security architectures that manage cyber security capabilities with a clear road map of technology investment. Security technologies need considerable integration efforts as they typically provide common services for the IT estate. Their effectiveness rely on successful configuration and operation along with complementing organisational processes and functions.