On October 19, 2021, we published the book, "Modern Cybersecurity: Tales from the Near-Distant Future". This is an excerpt from a chapter by Yolonda Smith.
Security as a function is extremely reactive, relying on anecdotal evidence and best practice guides in order to characterize and remediate issues on an ad-hoc basis. We lack end-to-end visibility into the nature and configuration of our systems and devices, leading to a security posture that is fractured and untenable. Security often comes at the tail end of project planning and procurement, almost as an afterthought. This slows down development and implementation or, as often is the case, security controls are bootstrapped at the end, which is neither sustainable nor scalable. It becomes a constant game of playing catch-up and patch-up trying to balance and characterize the needs of the business with an ever-evolving landscape of threats with novel attack paths to exploit the business.
This becomes even more problematic as we consider the sheer volume of opportunity for data to move from places of fairly high control to places of low or no control. Today's workforce needs to be able to work from anywhere with reliable access to the business
information to make decisions and execute goals. Furthermore, the sources of data are more ubiquitous than ever. As my father would say, "everything talks to everything and we're all drowning in the noise." With the exception of very large organizations or those bound by regulations to do otherwise, we're rapidly moving away from the days of each company having its core business operations sitting in a comm closet, with rows and rows of racks, switches and servers, governing a set of well-known, well-understood assets owned and operated by the company IT team. There are fewer people available to manage and secure more things, so how do we keep up with it all?
Rather than focusing on what will change with securing these assets, let's start with what we know won't change:
- Businesses will still have to make money and organizations will always have to deliver on what makes them unique and valuable. Brand and reputation are key contributing factors toward which initiatives are prioritized and which aren't. No security control we put in place, now or in the future, should ever supplant those fundamental requirements. To that end, the assets required to support primary functions will always require protection.
- Identity and access management will always be a critical need. Securing our assets means first and foremost ensuring that the right people have access to the right things to perform a specific purpose. If there's any one area or domain which warrants additional investment over time, it's this one. The proof is in the proverbial pudding: as general consumers have continued to deal with breaches of their personal data, the tide has begun to turn in favor of preventative technologies like password managers and multi-factor authentication.
- Sloppy handling of people's personal data is a good indicator of a mismanaged
- business. Whether it's employee data, student data, or consumer data, the most important job of any security-sensitive business is to ensure that data is classified and handled with the utmost care. Carelessness or underinvestment on this front is a direct reflection on where the business places its value as a whole, what initiatives the business chooses to prioritize and which risks they choose to accept. In other words, are they simply comfortable sending out the 'your security is important to us' emails, or is the business making concrete investments in people and processes to demonstrate a commitment to protecting sensitive information? If the answer is the former, no amount of changing how assets are secured will make a difference.
- Connectivity is king. It is always more important to be able to communicate than it is to communicate securely. Any security control which negatively impacts people's ability to do their jobs will see less adoption and will be met with friction and potential ridicule.
If we start with these assertions as foundational truths, then building a security strategy toward protecting cyber assets becomes much less about protecting physical assets; rather it becomes about understanding and protecting the data.
So what is changing? With a focus on securing modern cyber assets, let's define what "asset" means once more. According to the NIST Glossary, an asset can be "anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards)." The tactical representation of assets includes employees, customers, internet of things (IoT), devices and networks, cloud environments, personally owned or employee-owned devices, corporately-owned devices, and data generated to support company interests, including information discussed in public forums like social media accounts.
From a technical perspective, the risk against these assets is fairly well-known and the mitigations to resolve these risks are fairly straightforward. However, there is an entirely new school of assets that requires more innovative thought about how to understand, manage and mitigate the risks against these assets. Artificial Intelligence and machine learning capabilities have spawned a new type of threats, including data poisoning, which leads to real-world impacts affecting people's lives, safety and freedom.
In my current role at sweetgreen, I'm challenged to consider how upstream attacks can impact our ability to deliver on a trustworthy experience to our guests and team members. For us, it's not just about protecting the restaurants, though that certainly is a big focal point. For example, an attack on a water treatment facility in Florida, directly impacts whether or not we can safely sell salad in Miami or Orlando; a ransomware event against a major gasoline and fuel distributor determines whether or not our suppliers can deliver fresh ingredients into our restaurants in time for the daily lunch rush. So what does this mean? Do we include the Colonial Pipeline to be one of our assets? No, but by virtue
of its importance to our ability to deliver our product, it definitely is an item of interest to us. We are finding more and more frequently that we have to revisit our risk mitigation strategy to account for assets outside of our direct control. What about the remote access tools our vendors keep on our systems to maintain their own software and capabilities? We absolutely consider those our assets. For the purpose of this discussion, protection of assets will be limited to steps we can take to defend the things that are under our direct control.
When it comes to security at sweetgreen, our success depends on our ability to tell the story as it's happening. We must be able to understand all the actors ("assets"), determine who the key players are ("prioritized assets"), what role they play (function) and how they fit in the overall context of the plot (purpose). Are they only here for a chapter, or will this be a recurring character for the duration of the story? Are they conducting themselves in a manner befitting sweetgreen's best interests or are they behaving in a way which will ultimately hurt the business?
Like many companies, the COVID-19 pandemic forced us to rethink how to protect our known assets and where the lines of demarcation were. As an example, we have a full battery of controls in place on our corporate networks in the office, however could we enforce those same controls in individual homes on private, shared or untrusted networks? Certainly not without taking on expensive technology and operational investments in a time when we were trying to streamline costs to ensure the business remained viable. We revisited which risks we were willing to accept, and which we were not willing to budge on, in order to coach the rest of the business accordingly.
This has been an excerpt from Yolonda Smith's chapter, "Preparing your organization to adopt a security practice" in the newly released book, "Modern Cybersecurity: Tales from the Near-Distant Future". You can read the rest of the chapter as a free, digital download or purchase a hard copy on Amazon.