Security is a process

Sam Sargeant, Chief Security OfficerA blog post by Sam Sargeant, Chief Security Officer, InternetNZ

April 2020

As a Chief Security Officer, I am often asked these sorts of questions:

  • What is the most secure messaging app?

  • Is this video-conference tool secure?

  • What should I buy to be secure?

I am grateful that people ask these questions. They do reveal some underlying assumptions, which I think need to be addressed:

  • Security is a binary thing; either it’s secure or it’s not

  • The threats that you might face are the same as everyone else

  • Security professionals can make risk decisions on your behalf.

Let’s look at why these are misleading, and introduce you to the idea that security is a process, rather than a product. 

Security is not binary

Information technology tools enable our modern society and we depend on them for much of our daily life. The complexity of networks, systems, software, services, and supply chains means that it’s impossible to have 100% complete control over every aspect and eliminate all security risks. These risks are often emergent – arising from the combination of complex systems in a way which is hard to predict. 

With enough resources and time, attackers will be able to breach your defences. Instead of thinking of a binary “secure/not secure” status, consider risk on a spectrum of possibility. What resource and opportunity would a threat-actor require to complete a successful intrusion? How does this compare to your organisation’s risk appetite?

Threats are not uniform

When asking “is this secure?”, the response should include “secure against what?”

Your threat model should consider the profile of potential attackers. Are you looking to implement a video conferencing solution for the leadership of the country during a pandemic? The interest from state-backed actors would be high, so you need to account for a highly capable and well-resourced advisory. Most people do not need to consider such a serious threat.

Security doesn’t stop after the decision is made

It’s common to consider security during the initial procurement and assume that is enough. There are many factors which make the security risks dynamic and demand your ongoing attention, well beyond the decision to proceed. These include:

  • New security vulnerabilities being discovered and published every day

  • Configuration and integrations with other systems change over time, introducing new weaknesses or opportunities to cause harm

  • More and more advanced capability is becoming available to threat-actors.

You must manage your own risk

While security professionals can help inform discussions about risk, ultimately the decision is yours to make. Your context and risk-appetite will inform this decision, while we can help measure and communicate the risks. 

Security is a process

Consider these questions for your organisation:

  • How do we consider the security risk of planned changes or deployments?

  • How do we identify and respond to new security vulnerabilities?

  • How do we detect unusual activity and are we ready to respond to it?

The answers will help you identify what security resources, tools, and processes you should start with and consider in the future. As the situation changes, you must be ready to adapt.