The concept of Corporate Defensive Domain is an aid to perception evolving from a vision of Physical Risk through IT Risk, Operational Risk to Governance, Compliance, Legal and Reputation Risks.
Corporate defense
Corporate security is purely defensive. There is no moral imperative that allows positive attacking action against threats and those that attempt to, or unequivocally, inflict damage on your organisation. Some but not all, of these attacks can be very determined and sophisticated because they are goverment funded and are either commercially or politically motivated. Most are just motivated individuals that can be classed as intellectual vandals.
As with all the good guys, you must work within the framework of the law and this only allows vigilance, defensive action, and possibly post-event retribution and compensation. The subsequent capture and imprisonment of a perpetrator may become a public spectacle. An apparent show of the success of your strategy and hopefully it will act as an example to others but in reality it is of limited effect and brings little solace to the organisation.
Showing your hand
There is also a view that public trials act as a learning curve for other attackers. The attacker creates an action on your perimeter and you display a measured reaction. Thus revealing some of your defensive strategy, processes and tools.
Security realms
There are many realms that exist in the land of security e.g. physical, electronic, virtual, etc. and there are many ways to look at and examine security. It can be viewed as a) a physical obstacle b) a process inflicted on reluctant personnel without explanation or c) an acceptable mindset that is instilled in the environment with the full involvement of the personnel. This latter approach should produce the best results, giving staff a sense of involvement, empathy and a real feeling for the potential consequences.
Secure personnel
It is critically important that your staff buy into securing the corporate domain because they are typically, the weakest link in the security of organisations.
Staff issues
- They are not so easily or reliably programmed,
- They don't always retain or apply knowledge appropriately,
- They are swayed and diverted by social engineering techniques,
- They have good and bad days,
- Their attention is inconsistent, etc.
- Their human!
There are many ways to examine Threats and Vulnerabilities in an organisation e.g. by geographical location, business type, resources used, historical or political instability, etc. Do you know and understand what criteria and imperatives are being used to drive changes in your defenses? Are they appropriate, operationally maintainable or cost effective.
Analyse the Risk
Organisations are are driven to respond to threats and are compelled to adopt more and more complex defense strategies to address and defend their security needs. Security policies and strategies dictate that a full gambit of approaches should be adopted, from standard process implementation to strict and intricate application frameworks but this has an operational and business cost implication.
The questions that are not always being asked are;
- What is the real cost of defending your business?
- How much are you likely to lose?
- Where will the danger come from and in what form?
- How will it impact us?
- What is our response capability?
- What is the overall Risk profile?
With the constant threat of intrusion and compromise, regular and detailed testing and re-examination of all your defenses are necessary but before you can realistically and effectively apply what you have learned, you need to conduct a detailed analysis and assessment of the Risks, the potential business impact and your response options .
7 Points to build stronger, more secure Corporate Defenses
- Create executive level authority and responsibility for Corporate Defense, policy and implementation
- Assess your strengths and weaknesses using mature Risk management methodology
- Examine the interdependencies between your tools, processes and defensive positions. Strengthen the perimeters and communications
- Map and review your Corporate Defense Domain strategy, continuously, in a structured and determined manner.
- Determine, test and examine areas of Convergence, for overlap and gaps. Establish strong boundary defenses and stringent hand-over criteria
- Develop a single hardened core entity, an authoritative cross functional discipline, incorporating Governance, Compliance and Risk
- Lock the perimeter gatesways, give the spare keys to your organisation to the central hardened core and prepare yourself for the next attack
No comments:
Post a Comment