It's almost Christmas, and many of us are looking for a suitable Christmas present for our family and loved ones. This year, I asked all Nixuans: If you could give a perfect cybersecurity Christmas present for companies, what would it be? Better tools? More awareness of risks? Someone in top management who really cares and pushes things forward? More budget to do things? World peace, leading to incentives for cybercrime going away?
In total, more than 50 Nixuans contributed their thoughts based on their own experiences, and now I want to share them with you. The topics vary wildly. Some are very practical, some wishful and others downright magical. Join me on this adventure from 1st to 24th of December. New present proposed by one or more Nixuans is coming out every morning on my personal LinkedIn page and here is a collection of the first 14 of them.
1st: Perfect asset management solution that almost magically knows every system, device and other assets as well as their status
Given how often incidents are caused by assets that fly under the radar until something goes wrong, wouldn’t you love to have nearly perfect visibility and thus ability to react? Decisions could be made based on real and current information rather than best guesses or situation from that audit a few years ago. The theme came up several times from different Nixuans, maybe because it’s something that is rarely in perfect shape.
2nd: In-house hacker in the company who tests security and brings that unique mindset into discussions
Hackers have a rare talent of looking at a thing and seeing a variety of ways how that thing would break, misbehave or get abused. It is not the right mindset for everything – some of you may know what I mean – but often these persons can evaluate new ideas and plans from an entirely different perspective. The more they understand and dig into what the company does, the better ideas and information they can provide. Not to mention that the practical hands-on approach to security would no doubt lead to very concrete improvements quickly. By the time a security group finishes wording the first page of their security guidelines, the hacker has already implemented several technical controls which make that page obsolete.
3rd: Connecting the industrial sites and experts to the cybersecurity experts in the company and starting a long-term co-operation
Factories, supply chains and what have you, are far too often separated from rest of the company. Nowhere is this more obvious than in cybersecurity. There is a long-standing tradition that these two groups don’t associate, sometimes for historical reasons and sometimes just because… Having a good channel between them would significantly improve the security of these critical functions as good practices could be shared and existing capabilities re-used. As different as these areas may look at first, from a technical point of view it’s not all that different in the end. Just having that line open already goes a long way.
4th: More time and resources for testers
Everyone who has ever done testing knows the feeling when you are going through all the angles to ensure that everything is working and then you realize that you only have enough time to cover 50% of what you think is needed. With security this happens as well, all the time. You never have enough time to be completely happy with the results. Worse yet, it’s hard to say if the missing 10% is the critical 10% which should have been your priority in the first place. If we could somehow get more hours in a day or – more realistically – more resources for testing work, those problems that slip through could be reduced significantly to make our systems, products and other assets more secure.
5th: Awareness for everyone in the company that cybersecurity is not something that IT does for you
Once you get past the idea that security is handled by “someone else”, you are well on your way to being part of the solution. There truly are areas in a company which someone else takes care of for you, and you get to admire the results of their work. Security is not one of them. Some people do have a bigger role to play, yet it’s hard to find a person who isn’t at least a juicy target for malicious actors and thus in need of good awareness of the risks. We don't ask you to go to awareness training for no reason, you know.
6th: Design for security that is so comprehensive that nothing falls through the cracks
Too often companies that invest in security do so in a way that there are huge gaps in the big picture. Do you have a great incident response team but no idea what your products contain? Did you invest in awareness but it’s not working since the tools that people are using pushes them towards bad security behavior? Do you have a wonderful secure development process, yet half of your software development is outsourced, and they don’t use it? Then this one is for you. Even good security practices can sometimes be defeated by one thing done wrong. Making the good things better is often not money well spent if there are some things left lagging.
7th: Worldwide implementation of RFC 3514
“The what now?” you say? RFC 3514, or more commonly known as the “evil bit”, was an April Fools’ Day joke which involved a mark on every packet moving through the Internet that would signal if it’s malicious or not. With this, anyone operating network equipment could simply configure firewalls and various types of defensive mechanisms to drop those packets to avoid cyber-attacks. Unfortunately, worldwide implementation isn’t quite here yet – imagine that – but wouldn’t it be nice? Given all the news we hear almost every day regarding new data breaches, denial of service attacks and whatnot, being able to easily tell what is good and what is bad would be a blessing. Unfortunately, this is a core challenge in defending against threats: how do you know what is what and when should you pay attention? We’ve come a long way since 2003 when the RFC was jokingly created in detecting threats and yet, it seems like we only see more and more successful attacks. Only time will tell how the game will play out.
Stay tuned in my Linkedin for more perfect gift ideas for the company you care about each day until we reach Christmas Eve.
8th: Decision makers with the ability and courage to see further and think in long-term as far as cybersecurity goes
Many things are not fixed overnight. Our product with 20 years of legacy isn’t going to be perfect after half a year from instituting the perfect development model. In fact, even the next product we are currently working on might suffer from those same old ways of thinking that are very deeply embedded into what the organization is doing. They had 20 years to internalize those practices, what do you expect? It’s easy to dismiss the new approach as not good enough when it simply hasn’t been given enough time to shine. Whether it’s thinking in terms of quarters or simply lack of courage to see things through, too many good ideas don’t have enough time to prove themselves. Hopefully, you have the right kind of management who can see the world as it will be and have the courage to trust that nothing about the plan is fundamentally wrong even if it takes a while.
9th: Culture of open sharing regarding cybersecurity incidents
This is not something that one company can do on its own, but it takes a collaborative effort to get it started. In aviation industry, information regarding accidents is shared much more freely than is the case for cybersecurity to facilitate learning. Some companies have come out and talked about their incidents but usually on a high level and only in general terms. Given how prevalent and regular these cases are for large enterprises, sharing the information and learning from what worked and didn’t would be extremely valuable. Today, incidents are often shrouded in mystery, making it harder for companies to learn from others. Even when sharing happens, it tends to be within limited communities to which many companies simply lack the access.
10th: E-mail that is actually secure by design
Out of all the things we use in digital offices today, e-mail is one of the older inventions. Surprisingly, it hasn’t changed nearly as much as one would think. By default, e-mail is rather insecure, doesn’t verify senders and you can lie about almost everything when sending an e-mail to someone. None of the security enhancement, especially client-side ones, are really all that popular in that one could rely on them. No wonder e-mail is still the leading channel for scams. Yet, many of us use e-mail for majority of our communications. For some (myself included), e-mail is your personal ERP – your tasks come through e-mail and get marked done by moving the mail to the right folder. Priority is defined mainly by the order in which e-mails arrive. This combination of horrible security out of the box and such a heavy reliance seems rather odd if you don’t know the history behind e-mail. Besides people who are perfect and make no mistakes, it’s hard to think of another thing with such an impact.
11th: Cybersecurity experts who know the business domain in which the company operates
Cybersecurity people know their stuff when it comes to security and many security problems tend to be the same across industries, but context does matter. Is denial of service a problem? That depends. In some scenarios, it might be a huge issue. In others, not so much. What are our biggest concerns? In one industry it might be money, in another, it might be reliability. The best possible cyber expert would know everything there is to know about your industry so that they can provide relevant recommendations and evaluate threats realistically. Doomsayers are not very useful if the doom and gloom they are preaching doesn’t make any sense in your context.
12th: New sense for people which would indicate what is true and what is not
Too often our decision-making is based on information that is partially or entirely wrong. Anecdotes, rumors or even intentionally misleading information are the name of the game today. The only thing that has really changed is how easily we can access so much information and how hard it is to verify. This applies to security even more than to most things. If people could see through falsehoods and lies or even get just a little better at it, it would help them to make better decisions – whether to avoid being scammed or to choose the best approach for security. There is room here for both education as well as technology to help us move forward.
13th: Comprehensive and relevant benchmarks to compare your security against
It’s hard to make changes to your company's security when you don’t know where you are and what is enough. Security is an endless exercise – you can always add more and improve to what you have now. Without some way to see what others do or getting a recommendation from experts, you are fumbling in the dark. Furthermore, what is right for you might not be for someone else. The danger with benchmarks is that they might not apply in your situation. You ideally want to compare your company to identical companies – which do not exist of course. Your next best bet is companies similar to your – industry, size, location, operational style... Having those perfect benchmarks available at all times that are just the right fit would no doubt improve the overall security level and add some facts to investment discussions over best guesses.