I had the pleasure of attending a presentation given by Dr. Ron Ross, a fellow at the National Institute of Standards and Technology (NIST). Ron’s areas of specialization include information security, risk management, and systems security engineering.
In his presentation, Dr. Ross delivered a bit of a counterintuitive message on cybersecurity by stating, "We have to stop obsessing about threats and start focusing on asset protection." To drive home this point, Dr. Ross added, "If 90% of our bridges were failing, we’d mobilize teams of engineers right away. Yet when 90% of our IT systems are insecure, we focus a good part of our attention on external threats."
Cyber threats are present today and will always be present in the future. Yes, we certainly should assume that sophisticated bad guys will penetrate our defenses so it is important for organizations to have the right skills and processes for incident detection and response. That said, we have to stop this nonsensical rhetoric declaring that prevention doesn’t work. Dr. Ross’s main point is that it does work if done correctly. Thus, the cybersecurity community should dedicate more of our attention toward the integrity, resiliency, and security of valuable IT assets.
When focusing on IT asset integrity and security, cybersecurity professionals should really start with IT service vendors themselves. After all, we depend upon their products and services for mission-critical operations, so we should push our trusted partners on comprehensive security across product design, customization, delivery, support, etc.
To ensure that IT vendors are doing all they can to protect our security, we need to be extremely diligent before purchasing their products and services by auditing their security, building security requirements into contracts, and defining security thresholds that IT vendors must achieve before they can gain our trust and our business.
Unfortunately, a lot of organizations continue to give IT vendors far too much security leeway. In a recent survey of cybersecurity professionals working at critical infrastructure sector organizations (as defined by DHS), ESG found that (note: I am an ESG employee):
- Just about half of critical infrastructure organizations say that they always audit the security of their strategic IT infrastructure vendors and cloud service providers. They tend to be less diligent with software vendors, service providers, and distributors.
- Half of critical infrastructure organizations have a formal security audit process for IT vendors that must be followed in all The other half depend upon informal processes and recommendations.
- Once IT vendor security audits are completed, only half (51%) use formal metrics or some type of scoring system that vendors must achieve to meet a minimum security standard. Others seem to use the "finger in the wind" method.
The ESG research report points to an alarming reality – many critical infrastructure organizations are relying on blind faith when it comes to the security of their IT products and services. We can only assume, then, that they are deploying insecure, misconfigured, or even malicious IT assets on their networks, so we shouldn’t be surprised if these products fail, are compromised, or require lots of excess attention and cost for maintaining security.
Dr. Ross’s main point was that security shouldn’t be an afterthought, but rather an integral part of business processes and product design. Surely we should hold our IT vendors to this type of standard. If IT purchasing managers demand strong security in ALL products and service, then vendors will have no choice but to respond. Until this happens, IT and security executives have no one to blame but themselves.