Unabhängige Kompetenz-Plattform
für Integrierte Sicherheit in der Schweiz.

Cyber Security and IT Risk Management in a Nutshell

A human, risk based, pragmatic and comprehensive approach to Information Security

In 2007 the first edition of this book was published with the intention to support non-experts by addressing this topic in a pragmatic way.

One tends to think that there were a lot of changes since then. The main thing that has really changed is that “Information Security” has become “Cybersecurity” and the topic has, at least for the moment, high attention in many organizations. Of course, I’m oversimplifying, but I’m doing this intentionally.

Somebody who really wants to get hold of your information will always get it. It is just a question of resources and willingness to invest these.

The cybersecurity hype is good but it has a major shortcoming. It is often about technology. The book addresses this among other shortcomings e.g. in the provided extract chapter 1.1 Information Security Stumbling Blocks.

Have fun reading and digesting the theories.

1. Information Security Stumbling Blocks
First let’s understand what are the root causes for most information security related threats and vulnerabilities. What jeopardizes our intention to protect the information of an organization whether digitalized or not.

Diagram 1: Information Security Stumbling Blocks

1) Most legislations a deployed with sufficient lead time

The list is not meant to be complete and I keep this list high-level with intent. Of course there are other factors like digitalization of life, globalization (always office hours), IOT etc. I just want to show you that the technology is not the problem. How we select, operate and use it, that’s how security incidents are enabled.

The key questions you should ask:
1. Did we select the right technology?
2. Do we manage/operate the technology adequately?
3. Is the technology applied secure enough by the (end) users?
4. Does your company culture keep employees alerted?

For example, common file sharing platforms are good for students, some type of startups but should not be used by hospitals, banks etc. For an organization in a sensitive industry like a hospital that uses a common platform, the mistake was done by selecting this technology (service) in the first place.

Adding an encryption service on top will not solve the problem. Users do not understand it and they circumvent the encryption for their comfort. Offering a sharing service under your control that has security mechanisms included, that cannot be turned off and that are easy to use, is the right approach.

Diagram 2: ISEC vicious circle

The conclusion of this chapter is not to stop implementing new firewalls, Intrusion Prevention System (IPS), Intrusion Detection System (IDS) etc. The idea is to take a step back and first fix the issues that are there for a long time, things that are mainly human factors.

Of course you have more management attention with a 1.5 Mio $ security infrastructure update project than with a rework and redeployment of your patching process. Such a project would be 100 K $, payed out of the operational budget and had low visibility. Would it improve the security more? Almost certainly.

If you buy the new IPS (or get a free one like snort.org), you still have the badly managed patching process nobody cares about.

So an information security person that accepts my line of thinking, fully or partly must see the need to understand and work on the human factor of information security.
CIS Switzerland auf Security-Finder Schweiz

Security-Finder Schweiz: Newsletter