Friday, 1 February 2013

Resilient Information Security

recently had the opportunity to speak at the Edinburgh Symposium on Information Security: Governance, Sharing and Risk in a Digital Age on the topic of resilient information security. Testing for an organisation's resilience to an Information Security incident is an area of research that I have created and developed. 

I have worked within the technical security market for the last thirteen years, where I have gained a wealth of experience through the delivery of technical security tests for both private and public sector organisations and I have dealt with many large scale and high profile security incidents. During this time I have realised that we, as an industry have only put half of the puzzle in place in terms of our approach to assurance and we should be doing more. 

Resilient Information Security Assurance is an area that I have developed to fill this gap. 

For many organisations, their approach to Information Security results in a fortress mentality that focusses on the implementation of defences and preventing an attack. This approach has directly influenced compliance and assurance approaches, such as vulnerability scanning and penetration testing. It is often acknowledged however, that we cannot build sufficient defences to be 100% secure while allowing our organisations to effectively carry out their business, and as such, for many this siege based approach and associated assurance methodology is no longer acceptable. 

When presenting on the issue of Information Security, one of the main conclusions that I keep returning to can be summed up by the following,

We should approach this problem from the point of view of business resiliency, which captures the ability for an organisation to be robust to attack and to be able to detect, react and recover from any incident.

So, given this, why do we still silo our assurance activity? 

We need a new approach to security assurance that not only tests for an organisation's defensive posture, but also assesses their resilience to attack. It's time for 'Resilient Security Testing'.

Resilient Security Testing
How can we achieve this? At a high-level by changing our assurance activity from an often narrow, isolated focus to a more holistic approach that assesses an organisation's position against the following four core areas:  

This holistic view will enable organisations to test that they have in place a system that is resilient to an attack, thus building resilience into the management of Information Security. Doing so will enable organisations to deliver the right balance between security and operational, business, and regulatory requirements, while enabling them to gain the assurance that such systems actually deliver the required results.

While I have developed this new approach, 7 Elements are leading its development. We will follow this blog post with a paper dedicated to further detail on how each of these areas can be tested and the outcomes we would look for.

As part of our commitment to support the wider Information Security community, we have also established and will provide ongoing support for OSSRAM, the Open Source Security Resilience Assurance Methodology. This will provide a platform for individuals and organisations  to work together in the development and delivery of a robust and open source assurance methodology.