So before you study how to technically secure your systems and data, you should wander what is at stake. It’s not a matter of choosing the best technology, but rather a matter of trust (ie: what do you trust or not) and level of acceptance of business risk. To save time and money, don’t start by making technical decisions before you have identified those risks…
Another example is related to the move to Cloud(s). I heard several people telling me that move to cloud always introduces more technical risks. Some even say that it simply jeopardizes your overal protection. This is simply wrong. Not only can systems and data be secured both on-prem and in the cloud, but cloud implementations even bring automation capacity (eg: Infra as Code and Shift-left testing, Puppet) that increases the ability to protect consistently against cyber-threats. However, without proper risk analysis based on business needs, constraints, legacy/available CyberSecurity solutions, you’ll never make it.
Analyzing risks requires both to evaluate their probability of occurrence and their level of impact. Remember this famous quotation from Einstein: « God does not play dice ». Well, it starts by observing how often those risks have or could occur (such as: will surely occur today or this month, will maybe occur this year, has never occurred at all and may never do). Similarly with regards to their impact, you will need to define at least a 3-level scale, such as: usual and accepted as many times as it may occur, acceptable only once a year, or not acceptable at all. The latest would surely trigger a crisis and require proper coverage via a Cyber-Insurance. Proper Cyber-Threat Intelligence (as we manage it at CIX-A!) is key to perform risk analysis.
Risk advisory (finding the best secure way to answer to business requests) is a critical activity for every company. It requires proper organization, technology and processes to be defined, implemented. and enforced. In other words, you need a team (at least one individual appointed!), a methodology and proper tooling to process business requests. It takes time to be tuned and trained, but once it’s done, believe me, the return on investment is huge!
Olivier Daloy – CIX-A Vice-President