Security Planning is Rarely Complete
In the current dynamic cyber threat environment, the majority of firms are challenged to fully identify the emerging reality they face in the immediate future, whether because of the evolving threats, or the capabilities of new technology. There is less reason now more than ever, to assume that cyber security strategies are fully valid year-on-year, and can remain effective by simply and incrementally refining plans, without testing their relevance.
While the conducting of risk assessments, or review of vulnerabilities is becoming more common on an annual basis, this does not always lead to more effective security, and the outputs are rarely useful to all stakeholders. The development of cyber threats consistently illustrates how re-evaluation and re-development of security plans, does not keep up with the threat landscape.
Security plans must be in a state of constant evolution in order to remain effective and relevant, and it is this point that challenges an organisation’s ability to proactively adapt to a dynamic environment. Security plans should also be threat assessment-led, and intelligence-informed, but dedicated resources are usually insufficient to maintain a comprehensive threat awareness in the majority of firms. Greater focus is also required on internal vulnerabilities which are more challenging to fully identify. To a degree this should be viewed a critical step away from building and testing the traditional ‘perimeter’ defense. A shift towards creating security ‘from within’ offers greater depth to an organization's position, and around factors that a firm can control. It also allows security managers to build and reinforce different aspects of internal security, monitoring & detection, and it provides the parameters for a broad range of tests & exercises that can be run against different scenarios.
Build it, Then Test it
Security tests & exercises are important to maintain the organisational reassurance that [beyond audit requirements], the strategy & planning will deliver required levels of security and resilience for the organisations under different circumstances. This point highlights one of the more common failings of security plans, in the static or out-of-date nature of the plans, and the lack of application through exercises to ensure awareness, preparedness, and sufficient familiarity with the plans’ aspects to allow for their interpretation.
These issues override other issues including a plan’s validity, or deficiencies in overall security strategy as the true extent of these latter’s weaknesses remain unknown to the organisation until it is faced with a security incident. Hence one of the most critical failings in security management is to sustain the relevance of a plan through testing and exercises.
Effective Security Exercises
The issue of testing security and running exercises is one area that appears to be problematic, partly because of the complexity and cost of running security exercises. Most firms are well accustomed to conducting specific vulnerability scanning but even this can be sporadic and incomplete. Truly 'testing' an organization's posture across all its security measures and layers has yet to become the norm for most security scenarios. Companies are more likely to be testing disaster recovery procedures and conducting related desktop exercises related more to business continuity readiness, rather than exercising security & response.
As IT dependency grows, from an already complex and widespread base, it is increasingly rare that comprehensive security exercises are conducted that simulate 'real-world' threats to test the organisation fully. Budgets fail to cater for the costs and specialist skills required from a ‘red team’, especially to simulate an advanced form of threat.
For blame we need to look to the top. Senior management are rarely involved in security exercises, and this reflects a degree of complacency among executive management that they will be able to make effective decisions in the event of a crisis. Moreover it also indicates that executive management simply do not expect cyber crises, and are consistently reluctant to allocate budget to simulating one.
The scope of exercises tends to reflect how seriously the threats are considered and prioritised. Often for the sake of simplicity, an exercise can be focused on a specific critical process but fail to test the vulnerability causes by interdependencies between processes. The limited scope of exercises, tends to reflect the cost or time investment required to set up & conduct a full exercise, particularly if it simulates a more significant impact or disruption to the company’s operations, or staff agendas.
Problems With Current Practices
Testing process aspects of a plan is disingenuous in so far as it assumes that the content of plan is sound, and the focus of the exercise if on difficulties related to staff understanding, decision-making processes, and plan implementation. It does not sufficiently question whether the plan is appropriate, or complete, or fully relevant.
Limited exercises are less able to identify flaws in plans, and from an organizational perspective critical focus is frequently on the recovery in a crisis, than testing measures that are in place to prevent or pre-empt or respond to a security event. This means essentially…to prevent an incident becoming a crisis. Furthermore some of the more significant threat scenarios are not considered high priority, and invariably are not exercised at all, which highlights weaknesses in companies’ awareness as much as preparedness.
The failure to fully exercise against a scenario means that the company is not fully aware of the potential problems it will face during the whole process or response, end-to-end.
The infrequency of exercises and tests is one main symptom of the problem. With infrequent exercises, organisations tend to focus on higher probability threats. Conversely it is more complex to exercise against a higher-impact threat, and allocate sufficient focus to the operational elements of how to detect and respond to that threat or scenario. This is most evident where human factors or 'internalities' contribute considerably to a threat, and highlights the difficulty in fully exercising a monitoring, detection & response capability.
A frequent objective of exercises is simply building familiarity with plans and responses, because this tends to fulfill senior managers‘ most basic responsibility of ensuring the effectiveness of staff within their roles. This reflects a very basic assumption that the main weakness in any plan is its implementation, despite the flaws in plan. Furthermore it highlights implementation as a key precondition of an effective plan, which is a common problem with the inherent subjectivity of cyber security planning.
However this subjectivity could be designed out of security planning but invariably is not, because many exercises do not typically follow through with a comprehensive process designated to objectively review the effectiveness or relevance of a plan. This is often partly due to the potential scale of the task if plans proved to be inadequate, and the potential cost implications of introducing new capabilities that the plan sets out as a pre-requisite for achieving a target security posture.
The challenge with broad-based security threats, and conducting effective exercises against them is the consistent stove-piping of budgets, priorities, & risk assessments, with the consequence that most exercises are designed and commissioned to test either physical security or aspects of network security, but rarely all in a converged manner. This issue is quite specific to 'security', as there tends to be greater cooperation and collaboration across most organizations for business continuity and crisis management exercises. It is therefore unsurprising that firms tend to run drills for business continuity purposes, and the focus for multi-faceted threats lies with response & recovery rather than preparation, or prevention.
The net effect is an insufficient exercising of security, and an increase in vulnerabilities to a range of 'blended' threats, which may not be addressed effectively in enterprise security planning, and only partially addressed by IT, and physical or corporate security functions separately.
The potentially critical issue that this highlights is that exercise planning is NOT commonly built around an awareness of vulnerabilities and the systematic testing of detective, preventative, and corrective controls.
Ultimately there is compelling evidence:
- Firstly, that there is insufficient testing of security plans
- Secondly, that many ‘tests’ are inappropriate to the range of proper validation objectives
- Thirdly, that tests are too infrequent to provide assurance and validation of many aspects.
It is widely acknowledged that ‘red team’ exercises are the most effective way to create awareness of vulnerabilities, and prioritize future steps to improve security measures. The fact that neither of these objectives are fully addressed by many exercises, highlights a common weakness of security planning that lacks ‘reality checks’.
Without suitable testing, most firms are unaware that they are maintaining obsolete security plans, and management has little basis for objective scrutiny of plans and therefore little interest in their detail. There is no doubt that greater involvement of senior management in reviewing security strategy will ease the various factors that influence the allocation of resource to security measures and exercises.
Many security functions submit more compelling arguments for allocating expenditure on tangible security systems, than on test and exercise spending, but senior management involvement will heighten the importance of regular exercises. Moreover it is dependant upon executive management’s recognition of its responsibilities to ensure all steps are taken to mitigate cyber risk, and creating awareness of these risks remains the greatest challenge.
There is no doubt that greater pressure from shareholders would force boards through the process of familiarisation and proper involvement, by demanding more evidence of risk-informed assessments, and an appreciation of the external context and relevant scenarios.