Every year, organizations not only achieve more sophisticated threat intelligence, but increase their ability to make that intelligence actionable as well. We are more proactive in addressing cyber security threats than ever before—so why do we still experience breaches? Several factors come to mind—from the dynamic, ever-changing nature of cyber attacks, increasing complexity of highly integrated systems, to an unresolved gap in hard skills among cyber security professionals. But there is another threat even more detrimental to foundational security: the organizational concept of cyber security assurance.
"In our eagerness to attain confidence for ourselves and the companies we serve, we may rush into dangerous mistakes—failing to examine our assumptions, accepting conventional wisdom, and even ignoring the fact that it is impossible to ensure a truly flawless system"
This may seem counterintuitive, but as cyber security professionals, we surely should be able to examine a system’s controls, architecture, and application to be able to determine a level of confidence in the system’s security. How can this process pose a threat, itself? The answer is simple: in order to be effective, security assurance protocols must be executed perfectly every time. Yet these protocols are just as susceptible to error as any other element of a security system. If we place too much trust in these protocols, we risk falling victim to what one might call as our most significant insider threat.
While bringing systems on board, companies invest substantial resources in attaining a sense of safety. They look to cyber security professionals for confirmation that business decisions are sound from a security perspective, projects and initiatives can move forward with confidence, and all contingencies have been anticipated. As the experts responsible for providing that feeling of safety, we too seek validation. We have our own professional benchmarks to meet, and we need to feel that the decisions we influence are free from the risk of negative consequences. In our eagerness to attain confidence for ourselves and the companies we serve, we may rush into dangerous mistakes—failing to examine our assumptions, accepting conventional wisdom, and even ignoring the fact that it is impossible to ensure a truly flawless system. When we succumb to confirmation biases or sacrifice thoroughness in order to meet tight deadlines, our security assurance processes cease to be effective and can themselves become a threat. The results may be devastating: an overlooked response SLA within a contract impacting recoverability; potentially catastrophic information disclosure due to a blind acceptance of architecture that exposes sensitive company or client data.
As stakeholders in cyber security assurance, how should we counter this underestimated threat? First, we must understand our role. Companies do not engage in security for its own sake, they rely on security professionals to help guarantee positive business outcomes. We partner with our organizations to identify potential issues and mitigate these issues through controls. We cannot afford to accept assurances as controls; instead, we must apply critical thinking to each evaluation, always probing beyond the information provided to ensure what is being put forward will not introduce unsuspected risks in application. We add value when we creatively implement controls that may not have been considered before, but when applied offers clarity to users.
We are most effective when we present risks to our organizations as transparently as possible. While many risks can be reduced to an acceptable level or even eliminated, other risks remain even after controls have been applied - and it is our responsibility to provide our partners with an accurate understanding of these risks, so that they can make informed decisions about how to move forward. It is difficult to imagine a more dangerous threat than a false sense of security. By taking a thoughtful and rigorous approach to security assurance, we can offer something infinitely more valuable than unfounded confidence: a true understanding of risks for making wise decisions.