What will we call Full Spectrum Enterprise Risk Management, when we decide what it is?
Geoff Moore, CTO of Red Solutions, looks at terminology in the security industry and asks what will we call Full Spectrum Enterprise Risk Management when we decide what it is?
Every so often, a word will be dragged out from under the stairs of obscurity and press-ganged into popular use by those intent on transforming something mundane into something exotic and interesting. The word that finds itself in that category today, and against which I am currently directing the majority of my ire is “artisanal”. Maybe there could have been one or two occasions in the past hundred years when a legitimate occasion to use this word arose – during a heated conversation between competing clock makers perhaps or at a demonstration of primitive carpentry skills – but how the word came to be applied to sausages, popcorn and bottled water simply confounds every attempt at comprehension.
I’ve had somewhat similar feelings towards the word “cyber” as well, although I have to admit that despite my natural (and clearly irrational) abhorrence for the term, I’m struggling to find an alternative one or even a justification for not adopting it.
The root of my dislike probably lies with the number of times I’ve had people say “oh, you’re into security? Do you do cyber?”
A plume of flame erupts from the top of my head whenever I’m asked – just like the little red guy out of the movie Inside Out – and I’m like “what are you asking me?”
Are you talking about network hardening or penetration testing, or is it virus protection you’re talking about, or encryption? What about identity management or do you need to hack somebody’s phone? Because I’ve had people selling “cyber security products” come and pitch every one of these to me, and a lot more besides.
I don’t know why it drives me so crazy, but it does, and when I do my angry dance and have my little rant it is very frequently the case that the person asking has no idea what they meant either!
To those who do know what it is they mean, and who are just looking for ways to secure their organisations against all of the menaces that exist in the modern world, my usual mantra is that “if I can still walk through your door and look over your shoulder while you type your password then all the cyber in the world is not going to help you.” In this part of the world (at least) it is still true that enterprise physical security is really lax, and so my mantra holds true, and I can always find a way to start picking off the fundamentals of creating a secure environment around which a proper physical and virtual perimeter can be built.
As a security solutions provider, my company has never really made the distinction between the physical, virtual, radio frequency, acoustic or social domains. They’re all just as real as each other and depending upon the risks and the assets they all need to be secured. It’s always irritated me a little when traditional security vendors (both the installers of equipment and the providers of consultancy services) blithely ignore domains outside of their own specific sphere of experience, as if these other risks simply don’t exist. They’ve managed to get away with it up until recently because in the past it didn’t matter so much. When your most credible threat was that thieves might break in through the window to steal your stuff you focused your efforts in that area, forgetting about the low likelihood/low frequency/low impact items on your security threat and risk matrix.
But that’s all changed.
Everyone is on a network of some sort today. Everyone is carrying a slimline, high performance computer in their pocket, with a multi-band, encrypted high-speed wireless transceiver attached to it, equipped with audio-visual data capture devices, global positioning and guidance tools, and bi-directional access to a wealth of instructional archives covering the world’s collective expertise in every useful technical field imaginable.
People may still want to climb in through your window, but now they’re coming fully loaded with a whole range of add-ons and level-ups that we didn’t need to worry about before.
They may still want to steal your stuff, but now the stuff you have that’s worth stealing might not need to be carried out through the window, it might be sitting somewhere in plain sight on your network or it might already even be leaking out through the wall for anyone with the wherewithal and the proper equipment to simply gather up and take away.
If I try to rationalise it, one of the things that bothers me about the word “cyber” is that it is too big. In the same way we fail to appreciate the array of different disciplines traditionally found underneath the physical security blanket term – from video surveillance, identity management, access control, perimeter protection, entrance control, intrusion detection and screening, to all of the infrastructural elements, the manpower, training and procedural definition that go together to make up a fully rounded physical security management solution – we similarly cannot do justice to each of the specific products, services, skills and concepts that are currently bundled beneath the enormous and multi-colored umbrella that is cyber.
But at the same time the word is way too small, and that poses even more of a risk to businesses than the blasé attitude many have already adopted in this part of the world to security. ICT managers, CSOs and CIOs are still ignorant of most of the risks in the radio frequency domain, and often snobbishly underplay physical security risks as if they can somehow be counterbalanced with a bit of particularly elegant server side scripting or a firewall firmware upgrade.
Admittedly it’s a young discipline and over time we will probably see more refinement in the ways people in and around the industry refer to the component parts, and you could argue that this is the case for every new area of business; but when it comes to the virtual universe we’re dealing with topics that many people still find unintuitive at best or (quite often) impenetrably mystical. With most people still blissfully unaware of the underlying principles involved in even simple processes – connecting to the printer or sending an email, for instance – what chances do they really have of appreciating the technicalities of securing their most vulnerable information assets?
There’s a whole lot of specialised knowledge goes into designing an effective and comprehensive physical security solution and it should not be ignored or underestimated, but let’s face it, most of the risks we’re tackling in the physical world are tangible and relatively easy to understand. We might argue about how best to mitigate against different physical risks but the principles of situational crime prevention are easy to apply, and we can establish a relatively thorough perimeter protection solution without a whole lot of technology and be reasonably sure that it will be effective for the majority of the time.
The same simply cannot be said for threats in what’s become known as the “cyber” space, but to the uninitiated, the ignorant and the afraid, it’s just another hole to be plugged and any thumb will do.
Opportunistic vendors with metaphorically ill-fitting or undersized thumbs don’t care to point out their own deficiencies whilst the market doesn’t know enough to ask all of the right questions, and as a result we’re seeing disproportionate spending, often in the wrong direction, whilst higher quality providers are sidelined, unable to compete with the cut-price snake oil salespeople in their shiny suits. For every established and legitimate overseas cyber security provider having a hard time getting any sort of business in the UAE, ten brand new start ups with no track record and a handful of recently qualified graduates are winning contracts to provide some sort of cyber related service.
So is it all about the price in the cyber market?
Well it is still all about the price in the physical security market in sectors where the clients do not understand the risks or the technology, or where there have been few major incidents in the past to prove the necessity of spending money on proper countermeasures, so there is no reason why it should be any different in cyber.
Physical, information, cyber, it’s all part of the same thing, and there are just as many (if not more) amateur cyber operators taking advantage of end users who are compelled either by the law or by their policy manuals to implement cyber security in their organisations as there are in the PhySec space.
At the moment, it is virtually impossible (with very few exceptions – Red Solutions being one) to find either a security consultant or a security systems integrator willing or able to address the full spectrum security risk management needs of an enterprise in a single sitting. At best you can engage maybe three different providers, each of whom will have their own viewpoint on their own segment of the threat landscape, and are often quite ignorant of what’s required to secure any domains other than their own.
That’s not what end users need. They don’t have the skills or the time to put the pieces together for themselves, that’s what systems integrators are supposed to do, but true systems integrators remain a rare breed in this part of the world, and whilst security is still often viewed as a grudge purchase that is likely to remain the case. But how can an end user find a full spectrum risk management provider if we’re all just called the same thing – the good and the bad?
Perhaps if those of us who do provide the full turnkey service were to call ourselves something different so as to differentiate ourselves from everyone else it would be easier for the market to understand what we do. Maybe we should call ourselves Artisanal Systems Integrators instead. That might do the trick…