Dr StrangeLove (How I Learned to Stop Worrying and Love Managed Services),

By -




Convergence of data, economies, supply chains & critical infrastructure and it all needs to be secure...welcome to the Internet.
As a practitioner in the software development and security industries for over 15 years, I've got to say it has never felt like a job. For people to like their jobs it's a blessing, particularly as my skillset is in demand. 

 Demand is based on need and  given the proliferation of internet technologies for literally anything (finance, military, energy, mobile, IoT) is does not see to be getting any less busy.

As with anything if there is a demand for something there comes a tipping point. Be it energy, clean water, food security or even Internet security. 

 As a result there are some knock-on effects and many are the result of a capacity to deliver.

 Given so many different industry verticals are all converging into a single approach to delivery (the Internet) the responsibility of securing such a global machine is only getting more demanding.

Early Warning Signs 
  • A shortfall of experienced cyber security experts is expected to reach 1,000,000 by 2019
  • PWC recently did a survey in which  only 26% of companies said they have adequate staff.
  • Consultant driven security assessments (penetration tests) do not map to contemporary software or system development methodologies.
  • Consultant driven testing is not scalable for any agile organisation is prohibitively expensive if full coverage is required on a regular basis.
  • Risk & Vulnerability intelligence is not consolidated by default.

As with climate change, the approach to solving the Internet Security challenges of the future won't be addressed until people are told "There are no more [resources]".

 Concerns and how to improve security posture:

In 2015 a Questionnaire via the WEF World Economic Forum - hyperconnected world
posed the following questions:

"What actions that your institution could take would have the most impact in reducing the risk associated with cyberattacks?"

  • 38% said "Develop deep integration of security into the technology environment to drive scalability" is a "game changer".
  • 57% said "Prioritize information assets and related risks in a way that helps engage business leaders" would have significant impact.
  • 55% said  "Deploy active defences to be proactive in uncovering attacks early" would have significant impact. 

From the responses above amongst others the idea that consultant driven vulnerability management, penetration testing / security assessment and point-in-time approaches to securing a business don't work, are not scaleable.

 The above can be considered a business case for engaging with managed services in order to provide the scale, frequency, visibility and accuracy required in the every changing landscape that is the Internet.

 The adoption of managed services shall continue to increase as organisations understand:

  • the need for an "adequate level" of security to mirror development / devops
  • it is a necessary operating cost of any business.
  • approaching security in an ad-hoc manner shall not solve anything.
  • metrics are required in order to engage the business of the value of security.
  • security needs to be Integrated at many levels in a business and its associated systems.




Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more
By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA
Read more