Ideas for Strengthening Cyber Security

1. Understand the gap between human behavior and the speed of technological innovation. Nearly all attacks demonstrate that humans are not catching up with complexities of new technologies. As the gap is widening, the number and severity of attacks is increasing. For example, a human (or a group of humans) made a choice to add unfit and vulnerable routers to the network at the Bank of Bangladesh.
2. The objective for all code writers / programmers should be to make whatever they create as secure as possible. This requires injection of stringent security thinking into this community as it clearly does not uniformly exist today. Starting at the very basic level of early informal education and progressing to formal education and later to gainful employment is absolutely critical.
3. Carefully evaluate vulnerabilities of all existing and desired software and hardware products. Be skeptical about manufacturers’ claims. Visit their R&D and manufacturing facilities to see how well they protect their own assets. Observe behaviors and understand their organizational cultures. Determine whether there’s any negative history relative to a manufacturer and their products. Understand whether you have sufficient skills in-house to manage the products you purchase to their fullest capability.
4. Product testing must always include all known attack vectors, including malicious or just negligent human interference.
5. Inventory, definition, and criticality prioritization of data, software, and hardware assets relative to risks and threats should be routinely questioned and verified through robust in-house and third-party reviews by individuals who can demonstrate high proficiency in this area (consider those who perform root-cause analysis). Perhaps testing, certifications, and, most importantly, ongoing professional re-certification for such practitioners should be more intensive and standardized globally.
6. For vulnerabilities that already exist, implement methodical and on-going behavior modification for users and those responsible for systems’ resilience to increase vigilance and integrity aligned with your asset criticality levels. Draw from vast research in social, behavioral, and organizational psychology to derive applicable behavior change methods. Look up Daniel Kahneman, Heath brothers, Robert Thaler, Cass Sunsteen, Marshall Goldsmith, Robert Cialdini, BJ Fogg and others.
7. Implement dynamic network re-configurations and file structure relocations with at least three layers of detection and alert triggers around critical assets when abnormal conditions are present. It is critical to confuse your adversaries as much as possible as they try to penetrate your defenses and reach your critical assets. Static targets are more vulnerable than dynamic ones. This idea is offered with full appreciation that some innovation may be required to achieve suggested controls.
8. Move forward from thick, narrative-based incident response plans to role-based work flows and conduct announced and unannounced frequent (at least quarterly) role-plays for designated incident responders and their back-ups. It is much easier to follow, understand, and remember a work flow based on one’s individual responsibilities than unattributed paragraphs of text.
9. Monitor emotional health and behavior patterns of people with access to your critical assets. This can be done through a combination of behavior analysis software, frequent management oversight, wellness surveys designed and supported by HR, and periodic background checks and integrity tests for select groups of people with access to the most critical assets.
10. Implement new leadership styles discussed by the likes of Marshall Goldsmith, Simon Sinek, and similar others to foster loyalty, integrity, and a sense of safety within the organization. To paraphrase Sinek, if you take care of your people they will take care of your organization.
11. Demand timely action from every decision or idea related to mitigation of vulnerabilities. Without individual accountability and consistency of results your asset protection will not be sustainable.

Soar above mediocrity!

www.spherestate.com