Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by Fnord666 on Sunday October 06, @01:39AM   Printer-friendly
from the the-world-ended-what-do-we-do-now dept.

The Harvard Business Review ran a piece back in July 2024 on the future of computer security,
https://hbr.org/2024/07/when-cyberattacks-are-inevitable-focus-on-cyber-resilience

Well written (imo) in straightforward language, the gist is:

What is cyber resiliency? And why is it different than cyber protection?
A prevention mindset means doing all you can to keep the bad guys out. A resilience mindset adds a layer: while you do all you can to prevent an attack, you also work with the expectation that they still might break through your defenses and invest heavily preparing to respond and recover when the worst happens. Resilient organizations specifically devote significant resources to drawing up plans for what they will do if an attack happens, designing processes to execute them when the time comes, and practicing how to put these plans into action. Prevention is critical — but it's not enough.
[...]
Yet in my work as a researcher in conversation with chief information security officers and other cyber experts, I have noticed that many leaders focus most, if not all, of their security resources on prevention and leave recovery to business continuity plans that aren't usually designed with cyber incidents in mind. Instead, leaders need to embrace a mindset of cyber-resilience.

The HBR readership is (I believe) tilted toward C-class executives, so this may well filter down into IT departments. Anyone here seen any signs of a push toward "resilience" recently?

Paywalled? Try https://archive.is/CSFA3


Original Submission

This discussion was created by Fnord666 (652) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by krishnoid on Sunday October 06, @01:56AM (1 child)

    by krishnoid (1156) on Sunday October 06, @01:56AM (#1375911)

    ... leave recovery to business continuity plans that aren't usually designed with cyber incidents in mind.

    If they're already familiar with the concept of business continuity plans, then add cyber recovery -- computing resources, data, services -- into the plan. Some of these things need to be interleaved among the other business continuity recovery steps anyway -- e.g., a third-party chat mechanism, then restoring cloud services from a backup if needed, then the local network, then Active Directory while other things like natural disaster recovery is coming up, etc. It's already part of the CISSP certification [infosecinstitute.com] requirements.

    • (Score: 3, Informative) by zocalo on Sunday October 06, @08:03AM

      by zocalo (302) on Sunday October 06, @08:03AM (#1375937)
      This has all been a concept for at least two decades, so I guess it's nice that Harvard has finally arrived in the 21st Century? "Anyone here seen any signs of a push toward "resilience" recently?" Define "recent". At least in critical infrastructure we were starting to really get to grips with all this a decade or more ago (with varying levels of success) and it's now pretty much BAU where it counts (again, with varying levels of success). I can only assume that this article was actually aimed at all the clueless MBAs who think the only thing that matters is cutting costs that Harvard et al are busy churning out, because anyone with a clue should already know - and do - all this.

      Most of what they are saying is, as you note, embedded in certifications like CISSP, but it's also been in things like CIS Core Controls, Defence in Depth strategies, and other similar best practice guides from multiple government advisory bodies and regulators for ages - certainly back to the late 1990s/early 2000s because I can remember working on ensuring compliance of a system being put in place as part of Y2K upgrades. In many countries, it's also already backed by a legal requirement to have all this in place, especially for owners and operators of critical infrastructure or other heavily regulated sectors, e.g. the UK's NIS Regulations of 2018, and there are a number of well established corporate accreditations that require you have this kind of resilience as well.

      Better late than never, I suppose, and if it mops up a few more of the laggards then that's good news for everyone as there's less chance of their compromised systems being leveraged to launch further attacks or even more of our personal data being leaked. Quite frankly though, if this is news to anyone, I'd like to know who that is so I can ensure they're not anyone my clients and I are doing business with.
      --
      UNIX? They're not even circumcised! Savages!
  • (Score: 5, Insightful) by stormwyrm on Sunday October 06, @05:00AM (3 children)

    by stormwyrm (717) on Sunday October 06, @05:00AM (#1375931) Journal
    Bruce Schneier, arguably the most famous security guru of them all, has the famous dictum: security is a process, not a product [schneier.com]. He has been saying this since at least the late 1990s, and it's taken more than 24 years for these folks to finally get it? This stuff about "resilience" is what Schneier has called defense in depth, also discussed in detail in the linked essay. None of this is new, Schneier has been talking about this stuff for more than two decades.
    --
    Numquam ponenda est pluralitas sine necessitate.
    • (Score: 4, Interesting) by driverless on Sunday October 06, @08:29AM (1 child)

      by driverless (4770) on Sunday October 06, @08:29AM (#1375938)

      It's also just a re-buzzwording of an existing term, "intrustion-tolerant systems", which date back around 25 years.

      • (Score: 2, Informative) by RTJunkie on Monday October 07, @09:15AM

        by RTJunkie (6647) on Monday October 07, @09:15AM (#1376076)

        Please be patient with our pointy-haired business types. They're a little slow.

    • (Score: 3, Interesting) by canopic jug on Sunday October 06, @10:53AM

      by canopic jug (3949) Subscriber Badge on Sunday October 06, @10:53AM (#1375940) Journal

      Bruce Schneier, arguably the most famous security guru of them all, has the famous dictum: security is a process, not a product.

      Yet, conversely, snake oil is a product and not a process, and that has started to misdirect lots of money [bastiat.org] in the last two decades. That misappropriation of money in turn helps buy congressmen to (re-)write legislation according to the wishes of lobbyists, who often even supply the very text brought to the floor for a vote. The lobbyists work towards laws eliminating secure development and design, instead work for a world view where 'security' is a box-ticking exercise as well as an after-market add-on and not part of the very design process. Thus you end up with situations where Linux, OpenBSD, and FreeBSD systems are banned due to not fitting into the m$ marketing sales stream because of a lack of such aftermarket add-ons and boxes to tick.

      --
      Money is not free speech. Elections should not be auctions.
(1)