Incremental and iterative improvement of cybersecurity

Sander Valvas

Head of Cybersecurity Department

People at an office

“Information security is not a discipline that exists on its own. We practice it to assure business continuity.”

Sander Valvas

According to ENISA, many small and medium enterprise (SME; up to 250 employees) owners think they are not at a cybersecurity risk because of the size of their business and information assets. Most think that large corporations with more assets are the only ones at risk. This is not true.
Firstly, sensitivity of information comes down to the quality and not the quantity of information. Secondly, SMEs do not have the resources or personnel to address security in a similarly intensive manner like large corporations do and are therefore more exposed to risks. As a matter of fact, new technologies allow small businesses to use many of the same information systems employed by large enterprises, exposing themselves to many threats that were traditionally associated with large corporations. Therefore, it is imperative for the sake of their continued success that SME proprietors and decision makers recognise these pitfalls and take steps to address information security issues.

There are many standards and methodologies available to provide guidance on how organizations should manage information security risks (ISO 27001, NIST etc.). However, for most SMEs following the methodologies seem to be so overwhelming and expensive that they decide to accept the risk, as the risk seems to be less expensive than managing it. In most situations this is not the case as the guidelines are rather generic, do not provide any strict and specific procedures and all of them suggest that the cost of risk countermeasures should be aligned with the cost of the risk itself. So, the problem is not the cost of information security management, but lack of skills to implement suitable risk/threat/vulnerability management system(s) and procedures.

A better approach to improving the cybersecurity situation of SMEs would be to introduce more agile and less rigid methods to get to an optimal level of information security management and/or to improve the situation. The idea is to incrementally and iteratively create a better overview of the current cyber situation and based on that provide a path towards better management of cybersecurity risks.

DevSecOps is an approach that advocates the iterative approach to the security of software development lifecycles. Despite it being more closely related to software lifecycle, the principles can be applied to any system, including an organization. It is a philosophy that incorporates security at scale that advocates approaches that generally favour iteration over trying to always come up with the best answer before a deployment of a system.

Here are some points we should prefer according to the agile software management ideology.

Individuals and interactions over processes and tools

Information security is not a discipline that exists on its own. We practice it to assure business continuity. The everyday Process/Product/Service Owners know best what are the most damaging risks to the business. They know how much downtime can be managed, what are the most critical or risk-prone parts of the solution, and which contingency plans are realistic. The Process/Product/Service Owners are the people who should be involved in choosing which protective measures to focus on. However, they are always busy with everyday endeavours and are reluctant to spend time on processes and tools being forced on them. Still, they should be present when the processes and tools are decided, as quite often the protective measures are merely procedural and require managerial support and enforcement.

Hands-on improvements over comprehensive documentation

By no means should one discount the importance of good documentation as it is one of the foundations of knowledge transfer. But especially in smaller organizations, the pragmatism and creativity of the workers is what provides the competitive advantage. People working in such organizations grasp the situation with ease and react to incidents quickly. Their experience is the key and that is why they should be trained to execute contingency plans rather than providing them with comprehensive documentation they must read. The importance of hands-on experience cannot be overlooked - due to the rapid evolution of technologies and cyber risks they require real-life, hands-on experience in order to maintain and evolve cyber security within the complex systems.

Collaboration over contract negotiations

When using third party service providers, common sense and good understanding of each other’s needs is also often more important than what was agreed in the contract. Good working environment, respectful relationships and empathy creates efficiency. It is crucial for every stakeholder, internal or external, to understand the mutual benefit of cooperation as everybody wins if problems are avoided or solved quickly and time is not spent on the blame game. This time is better spent on learning from the problems and improving the relationship by clearly defining the expectations and improving the collaboration.

Responding to change over following a plan

In many cases organizations do not have a dedicated in-house security practitioner or there is just not enough of them. Often organizations have no idea how severe threats are in reality and have no understanding of how much effort and resources should be put into cybersecurity. There is no point in creating a comprehensive plan for something we have no idea about, as it most likely will not be used. Dealing with such uncertainty can be hectic and chaotic and we would like to avoid it. In such situations starting with a simple plan, adjusting it to what is relevant today and continued improvement of plans is much more natural. An iterative and incremental process can help organizations get started.

Agile process management

In order to cope with ever-changing environments and needs we can implement a lightweight routine similar to many agile software development methodologies (like SCRUM). An organization chooses a time-box (Sprint) during which a specific number of resources (time and assets) are spent on revising and/or improving the cybersecurity situation. The tasks executed during the Sprint are based on a backlog that consists of various items that have been identified during previous Sprints or everyday work. The idea is to create backlog items at optimal granularity so that they can be finished with ease by the end of the Sprint. Creating a plan or taking a course on cybersecurity risk management can be first items on the list.

Once a backlog is present, the trickiest part is the prioritization of backlog items. Risk qualification and quantification is a challenge even for experienced security practitioners. Still, gut feeling is also method, especially if it is the gut feeling of long-term employees of organizations who understand the vulnerabilities and cybersecurity landscape. Additional methods, like "planning poker" often used by agile teams, can also be introduced. With experience everyone gets better at prioritization.

Daily progress reviews, Sprint reviews, retrospectives after completion of the Sprint are recommended to assure that things are progressing. Constructive discussions of successes, problems, etc. are crucial to learn from experiences and improve the situation.

Applying DevOpsSec values on organization security management

It is important to understand that cybersecurity involves the whole organization: management, process/product/service owners, IT, external partners and others. In order to actually improve the cybersecurity situation of an organization it is crucial to consider the full picture. Security should not be an obstacle to business, but should be a normal part of business process planning and management. If security is part of everyday routine, it creates proactive security monitoring at early stages. Everybody is part of the security program.

Additionally, regular testing of systems by internal and external teams (Red & Blue Team Exploit Testing) is recommended to be part of the routine of proactive security measures. This way we do not rely on scans and theoretical vulnerabilities, rather on threats that are present today. Onboarding external help gives a fresh perspective. Integrating external teams to organization security management procedures helps bring value to the meetings and prioritize the backlog. Creating a simple routine with a playful and fun atmosphere around subjects that traditionally are distant, tedious and scary, can do wonders.