One Size Does Not Fit All in Security Threat Response

Even though the security technology industry is awash with excellent products, it was not providing adequate focus on the people who use them and the companies they work in.

Speaking at the Fujitsu Forum 2015, the company’s head of cybersecurity services, Andy Herrington, told Infosecurity Magazine that the technology industry in general, very much including security, was not paying enough attention to the end user community who were at the center of it. Indeed he cast some doubt on whether the industry in general had made the adequate connections regarding what security was really about.

“Here we are at a show with a great deal of product present but for me [you have to ask] whether we are paying enough attention to the people. Which is actually what the business is composed of,” he said. “I think our enterprise organizations understand this quite well but I’m not sure that we have made the connection about what security [really is] about how we allow people to behave and react responsibly and do their day to jobs in a secure way, without interfering in their day to day jobs. And for me the story here [in Munich] is being the experts in how to secure ‘stuff’, actually taking the time  to  understand clients' business and how their people operate in those businesses and therefore [show]what does good security look like in relation to that.”

Analyzing his job at hand, Herrington said that all business have a differnt tolerance of risk.  He was confident that in general people wanted to do the right thing. Yet an unintended consequence of this was that a lot of security technology was impacting those it least needed to, that is those likely to act responsibly in any case.

“The balance needs be struck in not necessarily focusing [totally] on security but also thinking of some aspects as to how companies approach security,” Herrington suggested. “You understand what you are trying to achieve in your business and [recognize] what are the things that you simply cannot avoid, and afford not to happen. Based on that you can start building out a security model that includes people, process and technology. And in that order….Technology and technological expertise are incredibly valuable but we have to be more expansive in our thoughts in terms of the types of [people such as] behavioral analysts and HR specialists, bringing in [leaders] from the business and training them to be security experts.”

This model said Herrington could be applied to virtually all industries and would be instructive in ensuring that people’s end to end business line functioned in their required manner, preventing not just incidents but expensive breaks in process. It was in this regard that security could be seen as a profit center he suggested.

Herrington added that when assessing threats to processes, all business could look at threat matrix containing four fundamental threat vectors: external/internal malicious; and internal/external accidental. He noted  that the focus of the IT security industry has traditionally  been on preventing threats from external malicious whilst not paying as much attention of the three other areas. There were, he said, a small number  of cases of accidental internal threats with impact and in accidental external with some firms undertaking their own PEN tests with the wrong  IP block, looking like a probe or a DDOS attack and can set off alarms shutting off business.

 Threat intelligence, he added, needed to be more agile and flexible and cope ‘sensibly’ with the diverse nature of attacks. One size did not fit all, by having an environment where “if you look at the business process actually there are threats across the matrix and how you look across the threat profile is important and starts to inform your approach to business processes. You start to looks as to how you can reduce the accidental through training and good governance etc., making life easier,” Herrington added. “Sometimes with accidental threats you just need to be better at recognizing it, while the two malicious threats require different response profiles.  When incidents do happen you need to ask whether your response is appropriate.”

What’s Hot on Infosecurity Magazine?