Acuity Risk Management

Hiding In Plain Sight - Secure by Design

‘Secure by Design’ is a term that crops up ever more frequently in the security industry – but what does it mean, how can we benefit from it, and when should we act?

The world around us faces ever growing threats from bad actors and from our inability to predict the unpredictable. This has been highlighted by two recent worldwide catastrophes: the Covid-19 pandemic and the war in Ukraine. These events have had substantial knock-on effects to the supply chains of organisations and consumers.

The first attacks on Ukraine were cyber-attacks on national infrastructure looking to cripple supply chain and communication. The aim of these attacks was to create panic, disorder, and to disrupt the country’s ability to respond. This emphasises the need for improved cyber security across all Critical National Infrastructure, but the repercussions are wide and far reaching.

Of course, before the war in Ukraine we faced the Covid-19 pandemic, a vastly different crisis but some similarities in terms of impact. Severe supply chain issues and disruptions to our normal working lives persist. The pandemic should have catapulted us into doing more to prepare ourselves against risk, particularly to our supply chains, but many organisations have been slow to respond.

The former Bank of England governor Mervyn King once wrote that the greatest risk of financial crisis is not caused by predictable risk but by ‘Radical Uncertainty’ – effectively, change or uncertainty that is so great it is incomprehensible. It is therefore these ‘Radical Uncertainties’ that we need to better predict and be prepared to tackle. So, how do we do this and is it even possible to better predict the unpredictable risks?

Perhaps, but we certainly need to both find a better mechanism to handle what we can predict, and to increase our defences against unpredictable risk.


Current Risk Management

Companies tend to take one of three approaches to managing their risk: a maturity; risk-based; or proactive approach.

Many organisations initiate projects based on a maturity approach. This is an unwieldy approach which accumulates data and processes to build a level of security. This may provide initial assurance but gives little in the way of confidence to maintain a secure environment. Very quickly information becomes dated and gives little structure to develop the program over time in a cost effective manner. Over time, a maturity approach can lead to increased risk from human error, as well as missing key vulnerabilities caused by failure to update controls due to being overwhelmed by information.

Some companies employing a maturity approach view security risk as an afterthought and not a key foundation or building block. They may then implement controls as a ‘tick box’ exercise to become compliant – and perhaps certified – to a standard. They are reactive organisations hoping that they will not be the next to be attacked, only acting at that stage. By contrast, as an industry we need to assume that we will be targeted and attacked.  It is not a question of if but when.

Organisations handling a more sophisticated level of risk have developed a risk-based approach as the norm, where the priority is to reduce risk over time against appetite or tolerance. This typically follows a prescribed framework where controls are implemented to target key risks or vulnerabilities to the project or organisation. This therefore allows companies to justify spending and show clear return on investment for implemented controls. This relies on a holistic view where all risk attributes are centralised as an integrated mechanism, including risk, vulnerabilities, incidents, findings, remediations, controls, etc.

The McKinsey group has pushed for several years the importance of moving to a risk-based approach or, better still, a proactive approach. A proactive approach is an enhancement to the risk-based approach, which builds on these integrated themes by forming linkages to wider technologies to provide a real-time view of risk and reduce risk by increasing automation. This may include tooling to identify threat actors, monitor attack surfaces and highlight poor technology configurations, for both your own technologies and those of your vendors.

These are important principles but only make up part of the picture.


Secure by Design

So, what is ‘Secure by Design’ and where do we start?

‘Secure by Design’ is a concept of building a project from the ground up with risks as the roots. It shifts security to the left of the project and utilises a proactive approach to risk management.

In other words, companies have to make security a pivotal part of the design phase rather than simply bolting it on. However, where do companies start and who is driving this initiative? The UK’s NCSC has made a start by setting out five principles that organisations should follow to achieve security by design. These are:

1. Establish the context

2. Make compromise difficult

3. Make disruption difficult

4. Make compromise detection easier

5. Reduce the impact of compromise.

As such, we need to understand the risks before implementing design. The starting point is typically a workshop to identify the risks and threat surfaces to a project. Companies should make use of known frameworks, such as ISO, NIST, EBIOS, threat catalogues, threat intelligence and consult subject matter experts during the identification phase to ensure all weaknesses are identified.

Once identified, projects should review mitigation options against these risks to ensure weaknesses can be addressed. This exercise again may take the form of a workshop looking at balancing the project’s efficiency to operate against increased security and cost. For example, in a manufacturing program, ‘Internet of Things’ enabled devices could be targeted by several threats, leading to risks. In such scenarios, different components may require varying levels of access and security controls. Additionally, within a project the criticality or responsibility of an asset may affect the need for mitigating controls. For example, an asset holding Personally Identifiable Information – or a device in the technology stack underpinning that data – should be treated in the highest regard given the severe financial and reputational damage that would be associated with a data breach.

Companies cannot stop at risk prevention though. As laid out in the principles from the NCSC, there is a need to increase penetration protection – everyone in the industry knows you can never be 100% void of risk. ‘Secure by Design’ moves beyond mitigating risk to being proactive. As discussed, this should utilise wider tool sets such as DDOS tooling to reduce DDOS attacks, and enhanced Access Management tooling to minimise the severity of a breach reducing an attacker’s ability to break out of the initial weakness into more critical systems.

The final element is to ensure continuous improvement as part of the process. This is not a one-time assessment and review but a proactive ongoing development, fed and managed by agile toolsets, with a dedicated autonomous response blended with SMEs needed to drive it forward. This may include the identification of new threats which alter our assessments of risks and push us to make further improvements.

Figure 1: Secure by Design – A Proactive Integrated Approach

Figure 1 provides a diagrammatic perspective of the importance of synergy between risk, prevention and protection to ensure a project is ‘Secure by Design’ and constantly evolving in a proactive approach.

In terms of an effective overall risk management function, it is essential to centralise and correlate the risk related data, so that it can be better understood and provide actionable intelligence for risk managers and senior stakeholders. Such data would include the risks themselves, related threat actors/sources/scenarios, a clear understanding of the assets at risk, the status and risk reduction effectiveness of linked mitigating controls. This should be combined with wider related data including: vulnerabilities, incidents and responses, audits, policies, procedures, related evidence and action plans.

Maintaining, measuring and improving the overall ‘risk position’ requires a holistic approach which centralises this correlated data set, aggregates it to provide clear visibility for the different audiences, and helps to prioritise actions.

 

The Magic Bullet

Is ‘Secure by Design’ the so-called Magic Bullet? Alone, this is unlikely. However, it provides a critical starting point. The real solution is in better education, enabling change and a cultural shift, however ‘Secure by Design’ as a principle helps by providing the tools and opportunities for training and change.

Too often one hears about training exercises failing to bring about change. For example, where phishing attempts sent to security teams are successful. The use of tooling is therefore critical to help facilitate this change, to bring greater risk awareness to organisations and to provide security by design so human errors have reduced consequences.

Presently, there is little guidance around ‘Secure by Design’ and we must see institutional change from the NCSC and wider industry leaders, such as the accredited certification bodies, to help companies better protect themselves. They must do more to instigate this change and move focus away from control frameworks and ‘tick box’ exercises.

Conclusion

 Most organisations have undergone some form of digital transformation during the last five years. The critical next step should be to review and revitalise these projects by taking a ‘Secure by Design’ approach.

Organisations must quickly adapt and modernise to stay secure. Bad actors are getting smarter and more brazen with their approaches; as such we need to push defence to the foreground and not neglect it as an afterthought.

We must enhance our ability to deal with ‘Radical Uncertainty” by creating a more integrated and autonomous approach to security built from the ground up, while improving knowledge and training across organisations.

Let’s act now and act together! I look forward to an open discussion.

Resources you might find useful

01 Nov, 2022

Short Read: CISOs and the board

Posted inBlog

Short Read: CISOs and the board

Short read: CISOs and the board New study indicates that misalignment between the board and the CISO in terms of cyber security persists and there is  Read More >