Planning your upcoming moves in the Game of Security

Security is like playing the game of Chess where you have to think multiple moves ahead of your adversary and plan your upcoming moves accordingly. You almost wish that you had a read into your adversary’s mind. In other words, you have to be proactive in the game of Chess — even more so in the Game of Security. Reacting to your adversary’s moves after the fact would be too late because of the disastrous effects of each successful attack. So, how proactive can enterprises afford to be in the Game of Security? Let us first start by taking a look at some of the proactive steps at play.

Proactive approaches essential to address board-level security concerns

We can start by taking a look at the state of security within the enterprise. “We would better get security right,” says HP Security Strategist Mary Ann Mezzapelle in her keynote at the recently held Open Group Conference at Newport Beach, CA. Asserting that proactive risk management is the most effective approach, Mezzapelle challenges enterprises to proactively question the presence of shadow IT, data ownership, usage of security tools and standards while taking a comprehensive approach to security end-to-end within the enterprise.

The keynotes at the recently concluded RSA 2013 Conference suggest some compelling techniques that warrant serious consideration:

  • Art Gilliland suggests learning from cyber criminals and their methods in this ZDNet article by Rachel King since the very frameworks enterprises strive to comply with (such as ISO and PCI) set a low bar for security that adversaries capitalize on.
  • Andy Ellis discusses managing risk with psychology instead of brute force in his keynote at the RSA Conference.
  • At the same conference, in another keynote, world re-knowned game-designer and inventor of SuperBetter, Jane McGonigal suggests the application of the “collective intelligence” that gaming generates can combat security concerns.
  • Gilliland himself suggests techniques such as Benchmarking for enterprises to share their experience in managing risk.

Also, how about the inception of OODA techniques into the security hacker’s mind?

Can enterprises afford to take such proactive steps? Or more importantly, can they afford not to?

The HP Ponemon 2012 Cost of Cyber Crime Study revealed that cyber-attacks have more than doubled and the financial impact has increased by nearly 40 percent in a three year period. In other words, security is a board-level concern today as indicated in this ComputerworldUK article by Antony Savvas.

Enterprises must balance the cost of executing such proactive measures against the cost of cyber-crime. The HP Ponemon study estimates the average annualized cost of cyber-crime to be $8.9 million per year, with a range of $1.4 million to $46 million for 56 organizations.

How about you? What are some of the other approaches enterprises can take to be more proactive? Have you assessed the cost of cyber-crime for your enterprise? Please let me know.

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.