As we continue to analyze the fallout of the latest sequence of security breaches (SolarWinds, JBS, Colonial Pipeline), the conversation invariably swings toward attribution and of course, who should know and when should they know. Spurred by these events, another legislation of breach notification is circulating…again. This time the discussion revolves around critical infrastructure rather than personal data. We have seen this play out before. While the details may be a bit different, the challenge being laid at the feet of those in the critical infrastructure segment is considerable – a 24 hour after discovery requirement of notification. Although still in draft mode, the legislation is a reminder of a battle that we continue to fight against increasingly tenacious and skilled adversaries on a battlefield that continues to expand.
Several years ago, I wrote a blog referencing Castor and Pollux as the ‘patron’ gods of this ongoing battle. Castor and Pollux are the two twins of the “Gemini” in Greek Mythology. They are reminders that a two headed approach involving proactive measures (such as
Vulnerability Risk Management) and reactive preparations (such as an agile Security Operations strategy) is necessary when it comes to security strategies. Ultimately, though, the objective is not to meet the notification requirements. While this may be a considerable incentive (given the proposed sanctions for violations), the recent breaches are a reminder of the end game – operational resilience.
Vulnerabilities pop on the radar from all sources – some lying dormant for decades to be uncovered; some introduced with the latest code – and a security organization that is thinking in terms of a balanced approach is best positioned to address shifting priorities. Potential threat and attack vectors must be identified and responded to as fast as possible. A Vulnerability Risk Management program is a critical mechanism for this. Actual active attacks must also be identified and responded to as fast as possible. A Security Operations Management strategy is the main device necessary for this. This is a blend of proactive measures and reactive preparations.
The two-pronged approach seen in security strategies are an example for broader risks. A resilient organization is thinking in this same manner – what can we do to prevent an issue and what will we do when there is an issue. At the heart of this approach is an understanding of business risk powered by an integrated approach to risk management. Several factors will give your organization a significant advantage as you target a balance of approaches:
Establishing a common taxonomy for discussing risk enables preventative and response measures to be balanced based on business impact.
Common catalogs of risk management program elements such as risks, controls, incidents and assets allow your second line functions to analyze overall risk by setting a mutual point of reference.
Standardized processes to monitor risk and assess controls permit a balanced view of residual risk via the effectiveness of preventive measures in place.
Unified processes to report, track and monitor gaps such as operational incidents and issues provides insight into the efficiency of response actions.
These core capabilities set the framework for an integrated, balanced approach for preventive and responsive controls.
As we saw in the last 18 months, security breaches are not the only major disruption organizations can experience. The shift towards operational resilience as an end game is resonating across all teams mandated with risk management. Organizations are on the path to put the complimentary approaches of proactive and reactive preparation in place. It is, therefore, fitting that travelers and sailors appealed to Castor and Pollux for safe voyages. Those that found favor to the Gemini were thought to be aided in in moments of crisis. Given the ongoing journey organizations are on towards operational resilience, Castor and Pollux are appropriate patrons.