The Cyber Patient’s Dilemma
By Elliot Dellys, Founder, Phronesis Security
A Head of IT asked me recently: why bother doing a risk assessment when we already know what’s wrong?
It was a fair question – we had spent the better part of a month dealing with a significant security incident and had just concluded a high-level review of the infrastructure landscape. It wasn’t good. There were servers running ancient operating systems, legacy equipment with unknown functionality, and poor configurations that had the network constantly at capacity.
The IT estate was a house of cards and it was a matter of when, not if, it led to a serious loss of information availability or confidentiality. This we knew. What we didn’t know was how this had come to be, as a lack of network documentation meant we had both inherited an opaque environment. Nor did we know exactly where in the network a data loss or hardware failure incident would result in catastrophic business impact.
So, we faced a dilemma: do we dive in and start patching and replacing hardware, or take the time to conduct a comprehensive risk assessment? Each had their own appeal and challenges.
A comprehensive risk assessment would take time to properly understand the core business processes, user requirements, security control efficacy, and remediation capabilities. Time was something we did not have to spare however, as any day a known infrastructure issue could cause a major incident.
On the other hand, simply diving in was not without significant risk. Patching infrastructure without knowing its functionality could cause unexpected interruption to core business functions, as could any hasty configuration changes. Most concerningly, without understanding the underlying risk, any investment may ultimately be squandered if it came to pass that we were addressing issues which turned out to not be of greatest risk to the business.
Whatever the approach, top management needed an update, the inevitable outlay for infrastructure upgrades would require a solid business case, and the Head of IT’s concern had to be addressed. This cocktail of requirements led to me offering the following analogy:
The business is an unconscious patient who has just entered the Emergency Room. We can see injuries that need immediate attention, but we do not know what caused them. If we only patch the wounds without diagnosis, we risk overlooking the underlying illness and need to repeat this all over again next week – or worse still, lose the patient. If we focus solely on diagnosis however, our patient may bleed out before we understand what caused those injuries in the first place.
Our task therefore required a seamless coordination between the doctors (security) and the nursing staff (IT). While the doctors commence root cause analysis to ensure the underlying illness (risks) can be identified and remedied, the nurses jump into action to ensure the visible injuries (infrastructure vulnerabilities) are addressed as quickly and effectively as possible.
Whether in the Security Operations Centre or the Emergency Room, communication is always critical. A high-level risk assessment was drawn up, and business impact assessments were undertaken for the systems in greatest need of treatment. Senior management was engaged to understand the situation, as well as likely expenditure for medium- and long-term remediation. Throughout the process, the two teams were in constant communication with one another: have rollback plans been tested? Have the users been notified? Have the configuration changes modified other risks, and if so, has this impacted the efficacy of other proposed remediation activities?
A balance must always be struck between the tactical and strategic. Neither can be neglected if timely, effective, and cost-efficient risk mitigation is the goal. Sometimes a simple analogy can go a long way in bridging the gap between the business and its technical functions, and in this instance, I am proud to say the patient made a full recovery. Whether in medicine or IT, ongoing monitoring and treatment remains key to the success of any treatment plan. Once the dust has settled, and business as usual resumes, all organisations must keep this in mind when navigating the endless minefield that is enterprise security.
