This is the second in a series of three blog posts focusing on Critical National Infrastructure (CNI) cybersecurity. This blog looks at the problem space through the lens of "People and Processes."
- Enterprise security challenges for CNI organizations: Overview
- Enterprise security challenges for CNI organizations: People and processes
- Enterprise security challenges for CNI organizations: Technical solutions
As mentioned in the previous blog post, CNI cybersecurity is not just a technical problem—technology and tools can be enablers to help reduce risk, but you should also identify the "people and processes" required to put good security practices in place.
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." - Bruce Schneier
For those of you aware of the Open Systems Interconnection (OSI) model, you can see people as "Layer 8." To take the analogy further, you could say that organizational processes, governance and policies are "Layer 9." People are needed to put all the relevant pieces together correctly to reach the desired state of security.
Imagine buying a bookshelf from a certain Nordic flat-pack retail company. You have all the relevant parts and documentation to create the bookshelf, but you don't have the actual skills to piece them all together. If you continue without the appropriate skills, you may end up with a bookshelf that isn't fit for the purpose or, even worse, could actually be dangerous. This scenario could cause a catastrophic event within CNI organizations. Therefore, enabling Layer 8 security is paramount to enhancing the security posture of all CNI platforms. IT engineers and administrators must understand how to build, configure and integrate the various products to reach an agreed end state using repeatable and compliant methodologies.
Several security-related phrases bear this out, such as "security is everybody's concern," "security is a process, not a product" and "security is key to your business success." You can create a "security by design" culture and embed security processes earlier into the platform design and architecture phases by having trained and security-aware staff across the whole CNI organization.
There are many cybersecurity training areas that could be beneficial for CNI organizations. These include:
- CNI threat intelligence techniques
- Cloud security processes
- Data protection
- Data sovereignty
- Social engineering
Making this behavioral and cultural shift to a DevSecOps-focused mindset doesn't happen overnight. It takes perseverance and a willingness to change. CNI organizations need to fully understand all security and safety aspects before making any major changes. This understanding should come from a bottom-up and a top-down approach. Engineers and developers must embrace security via osmosis as part of a cross-functional team or through official training (either internal or external). Senior managers and CISOs should articulate the security requirements and risk management strategies across the organization so that every staff member understands why they need to build in security by default.
Security processes are designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish better security within organizations. For CNI organizations, stability and resilience are critical to drive continuous operations. Processes should be certified, repeatable and automated where possible.
In addition to individual internal processes, CNI organizations have requirements and governance policies laid down by various regulatory bodies. Being able to provide attestation to these requirements means implementing many processes, some of which could benefit from being automated.
Oftentimes, security risks are borne of honest mistakes, or people making necessary compromises to make technology usable on a daily basis. If a computer doesn't help a user encrypt a file and keep it encrypted through daily use, then a file goes unencrypted. If a computer doesn't help a user manage passwords, then the same password gets used for everything. It's human nature, but it's easy for computers to perform the steps that humans don't have the time or mental energy to do themselves.
Work with your users to discover what could be made easier through automation. Find the shortcuts people have to take, whether they like it or not, to save time and energy or just to make two applications work together, and then build automation to solve those problems. This can start with the IT and DevOps teams, where automation tends to be integrated, at least to some degree, with existing workflows already.
Expand the principle out to other users from there.
Improving and optimizing the way your users work is important to the security of your CNI organization. The more you provide users with tools and techniques to enable best practices, the safer your organization becomes at every level.
Discovering what users need can be a challenge, and it's important to implement solutions in such a way that they improve rather than slow down work. But this is a puzzle that can be solved with careful consideration and a lot of listening to the humans involved.
Find out what you can do to improve how data is processed. When it comes to automation, don’t try to automate everything in a “big bang” approach. Identify simple tasks to be automated then take the time to optimize the tasks first. Remember, if you automate a bad process, you will just end up with a bad process which runs quicker! This helps users avoid mistakes and helps ensure computers are using the same reliable and secure methods of data transfer and processing, no matter what.