BOSTON—Technology conferences come and go, but the annual conference of the Advanced Cyber Security Center last month was notable for its show-stopping keynote, delivered by former Secretary of Homeland Security Michael Chertoff.
As the theme for the day was “Left of Boom” – a military term referring to the moment before a bomb explodes – Chertoff’s speech naturally focused on information security preparation and risk management. Where his speech differed from the usual cybersecurity popular wisdom commonly dished out at these sorts of events was his emphasis on two primary points:
-There’s more to preparation than prevention.
-You are going to be breached.
“If your view [of cybersecurity is] ‘prevention, prevention, prevention, that’s all I’m focused on,’ that is gonna be doomed to failure,” Chertoff cautioned audience members. “You’re not gonna eliminate the risk of cyber attacks; this is about managing the risk.”
The Anatomy of Cyber-Risk Management
Chertoff divides cyber-risk management into three factors, and explains them accordingly.
Threat: “Threat is about who’s out there that has the capability and the intent to do you harm[.]”
Chertoff identified four primary cyber threats: (1) Run-of-the-mill criminals looking for a quick buck; (2) cyberspies “stealing IP business plans [and] strategies, and using that as a way of getting a competitive advantage in a global environment;” (3) politically motivated hackers who may be looking “to hurt you as a person; and (4) nation-states with grander political schemes, often in cooperation with some – or all – of the above.
Vulnerability: “Vulnerability is about how [prone] you are to attackers[.]
Insisting that no organization can be invulnerable, Chertoff focused on “What if?”-type questions as a matter of vulnerability assessment (and cost assessment, because they implicate tradeoffs between access and security).
“[Y]our salesforce wants to be connected all the time,” said Chertoff. “They want to be able to sit in Starbucks and connect to the [free WiFi] while the guy next to them just sort of starts sucking [data] down[.]”
A good security system can only be designed, suggested Chertoff, once the dollar value of all competing factors have been determined.
Consequences: “How do you deal with the fact that you are going to be breached?”
Chertoff primarily boiled down key consequence management tactics to (1) redundancy in systems and data; (2) implementing resilient technology, such as predictive analytics-based systems that self-heal by recognizing and remediating infections in real time before they proliferate; (3) regular crisis management training (including making sure that parties correspond to ensure that they know and agree on how to respond cohesively to an event), and (4) effective collaboration.
Chertoff was careful to note that each of these three risk management factors is equally important to consider in concocting and executing an effective cybersecurity plan.
“If you put all your emphasis on one area,” warned Chertoff, “you are actually losing your ability to get defensive depth.”
The Living Enterprise: Information Security as Immune System
“The human body is a risk-management enterprise; it’s actually not a bad model,” Chertoff analogized. While the immune system helps fight off infections, Chertoff explained, “your body is configured on the expectations that there will be bacteria and viruses[.]”
Indeed, Chertoff referred to vaccinations as “an information-sharing system” – highlighting the importance of external collaboration and threat-sharing for optimal enterprise security.
“[Y]our body assesses [things] when they come in,” said Chertoff. “If they are dangerous, they [are dealt with.] Now, it’s not always successful, but for the garden variety of the kinds of things we deal with, it’s actually a very valuable system.”
Chertoff closed his metaphor-driven keynote on an encouraging note, saying that by adopting and acting on these views on cybersecurity, “you can survive…almost anything that is thrown at you.”
In a parting shot, he added, “I wish we were as fanatic about cybersecurity as we are about Ebola.”
Photo courtesy of Shutterstock.
Joe Stanganelli, principal of Boston-based Beacon Hill Law, is a writer, attorney, and communications consultant. Follow him on Twitter at @JoeStanganelli.