Avoid dogmatic opinions if you wish to manage CyberSecurity properly!
Life is never black or white. That’s it. It’s the same for CyberSecurity: you may forbid something hazardous today that you’ll be able to grant tomorrow. It does not mean that you’re unstable, but rather that the risk has evolved. After all, CyberSecurity is a matter of managing risk, not defining a permanent or universal posture.
Let’s take an example: when social networks arose (that was a long time ago!), most companies were simply banning access to it. At first, there was no business need (remember “myspace”?) but rather an emerging high risk of data leakage or brand reputation damage. Then LinkedIn and other professional social networks were created, but also and more recently CASBs (Cloud Application Security Brokers) were developed in order to duly control what users can do within the cloud application itself. CISOs could hence grant access to those social networks without endangering their company’s assets.
So before you study how to technically secure your systems and data, you should wander what is at stake. It’s not a matter of choosing the best technology, but rather a matter of trust (ie: what do you trust or not) and level of acceptance of business risk. To save time and money, don’t start by making technical decisions before you have identified those risks…
Another example is related to the move to Cloud(s). I heard several people telling me that move to cloud always introduces more technical risks. Some even say that it simply jeopardizes your overal protection. This is simply wrong. Not only can systems and data be secured both on-prem and in the cloud, but cloud implementations even bring automation capacity (eg: Infra as Code and Shift-left testing, Puppet) that increases the ability to protect consistently against cyber-threats. However, without proper risk analysis based on business needs, constraints, legacy/available CyberSecurity solutions, you’ll never make it.
Analyzing risks requires both to evaluate their probability of occurrence and their level of impact. Remember this famous quotation from Einstein: “God does not play dice”. Well, it starts by observing how often those risks have or could occur (such as: will surely occur today or this month, will maybe occur this year, has never occurred at all and may never do). Similarly with regards to their impact, you will need to define at least a 3-level scale, such as: usual and accepted as many times as it may occur, acceptable only once a year, or not acceptable at all. The latest would surely trigger a crisis and require proper coverage via a Cyber-Insurance. Proper Cyber-Threat Intelligence (as we manage it at CIX-A!) is key to perform risk analysis.
Risk advisory (finding the best secure way to answer to business requests) is a critical activity for every company. It requires proper organization, technology and processes to be defined, implemented. and enforced. In other words, you need a team (at least one individual appointed!), a methodology and proper tooling to process business requests. It takes time to be tuned and trained, but once it’s done, believe me, the return on investment is huge!