An Integrated Risk-Based Approach to Managing Cyber Security
Former United States President Barak Obama compared Cyber Security to Basketball; “There’s no clear line between offense and defense,” Obama said. In India, however any cricketer will eagerly tell you when asked that the best form of defense is an offensive strategy.
In building India’s Cyber Security, both Government and Industry must fuse together and provide an integrated policy framework of computer security guidance for how together they can assess and improve their combined abilities to DETECT, DELAY and DETER cyber-attacks.
The integrated “core’ should be the nucleus of the Indian Cyber Security framework and like in Physical Security should comprise several functions or rings of security that reflect the full lifecycle of a cybersecurity risk management program.
As in physical security risk management, these core functions must comprehensively be broken down into different and separate categories and subcategories, which must be mapped and linked to various Government national security policies and procedures.
“What should be India’s approach to tackle the rising cyber threats”, particularly when the country is facing a critical skill shortage in the domain.”
Marc Kahlberg
CEO and Managing Director
Vital Intelligence Group
The Cyber Security approach should be distinguished as being a holistic risk management tool that excels in several areas and not only a technical standard or set of security controls. Layered above technical standards providing guidance to drive integrated policies and validate risk management strategies. Constant assessments of the overall cybersecurity posture, program maturity, and residual risks to government, industry and the private sector should be delivered. The planning of budgets by mapping planned investments and project roadmaps should be determined in a short sales cycle of much needed technology. The communicating of cybersecurity needs to external stakeholders such as auditors, insurance underwriters, and regulators should be paramount along with the use of existing security standards like the ISO 27001 as an added tool without incurring additional expenses. Creating a dual purpose in reducing legal risk such as embracing cybersecurity practices that are central to consumer lawsuits and government enforcement actions (such as governance, policies and incident response) as well as assisting each other in effectively mitigating legal exposure as well as creating a framework for public-sector recognition and as affirmative evidence that the security program is “reasonable,” which is typically the fundamental question in a legal context.
There is no doubt that any approach to seriously tackling the cyber threats we are faced with today should be comprised of a policy or guideline of standards that includes the Maintaining of Cyber Security Uniformity, the Defining of Cyber Security Regulatory Guidance, the Creation of an Overall Cyber Security Mass Awareness Campaign.(specifically targeting academia, energy, finance and telecommunications). The focus should be targeted on Promoting National Cyber Security Capabilities to Improve India’s Cyber Security Preparedness through the Academia and Advanced Education.
In Defining Current and Future Cyber Security Challenges there must be Improved Cyber Security Defense of National Infrastructures Critical to the Continuation of Normal Life, Protecting the Population from Cyber Attacks and Cyber Crime.
The Upgrading of India’s Existing Information Technology Development by Integrating Cyber Orientated Initiatives and Objectives and Encouraging Cooperation between Academia, Industry and the Private Sector, Government Offices and the Security Community along with Empowering Police to manage the entire scope of national cyber security and cooperate with industry is the base for a formidable approach to slow down the rising Cyber-threats.
In managing risks associated with any cyber-attack three basic factors should be addressed; Threats (who is attacking), Vulnerabilities (the weaknesses they are attacking) and Impacts (what the attack actually does).
The core approach should be to implement security requirements for defining an actionable cyber intelligence strategy while enforcing national requirements.
The first task should be to design effective security needs as an integral part of ICT design. Focus on security rather than design for economic reasons. Future security needs are becoming predictive so invest in the right know-how and technology.
The second task should be to create incentives for the structure of economic advancements for cybersecurity. Remember that Cybercrime is cheap, profitable, and comparatively safe for criminals. Cybersecurity in contrast can be expensive, is by its nature imperfect, and the economic returns on investments are often unsure.
The third task should be a consensus that must be achieved with all stakeholders that awareness, implementation, and risks are no longer traditional and the approach to security must be hyper-connected and fused into an environment of cyberspace and physical security with education taking center stage.
The Cyberspace environment has been called the fastest evolving technology space in human history, both in scale and properties by leading experts.
New and emerging properties and applications—especially social media, mobile computing, big data, cloud computing, and the Internet of Things (IoT)—further complicate the evolving threat environment, but they can also pose potential opportunities for improving cybersecurity, for example through the economies of scale provided by cloud computing and big data analytics and of course in certain restricted environments by self-defense methods and tactics.
Cyber intelligence in a world of information approach must be taken in order to accurately and timeously correlate Information vs Intelligence.
As professional cyber jobs are wide open with no real manpower solution readily available, the overall approach should be to promote activities in various cyber security fields in cooperation with industry, academia and the government sector while formulating a national cyber defense strategy that includes educational incentives. The Promotion of activities in various cyber security fields in cooperation with industry and the sharing of information will enhance the awareness levels.
In 2017 and beyond, the use of sophisticated prevention technology and tactics including threat intelligence, machine learning and managed hunting, will be the only combination of tools to truly support enterprises in predicting, detecting and preventing damaging intrusions.