Adversaries are waging guerrilla war on companies and government organizations, leveraging their limited resources and element of surprise strategically to score significant hits against even well-defended organizations. The attackers' advantage — they choose the place, time, and means of assault — gives them the utmost flexibility in plying their malicious trades.
On the other hand, organizations that prioritize the security of users, systems, and data are at a marked disadvantage, as both building and buying security capabilities introduce challenges to maintaining the necessary flexibility when facing an unknown threat. From business processes to buying mechanisms and implementation timelines, a host of things have the potential to stand in the way of flexible planning for cyber defense.
If proactivity in security preparedness is the goal (and it is), then flexibility has to be an integral characteristic of the plan. This is especially the case in the age where it is more accepted than ever that breaches are an eventuality and not just a possibility. Here are five ways to build more flexibility into your security approach.
1. Understand Wants vs. Needs
Prioritizing critical over niche defensive capabilities can be a hurdle that organizations must confront when planning for the unknown. With finite and often limited resources being the norm, these decisions can have far-reaching consequences when attacks do happen. For example, given the prominence of malware in modern cyberattacks, the ability to reverse engineer malicious code can be critical and necessary to responding and remediating a breach.
However, not all organizations should necessarily hire a full-time reverse engineer. There are a number of these kinds of capabilities that are needed but only in specific circumstances, and all organizations should be considering these capabilities and the "buy vs. build" cost-benefit ratio as they plan.
2. Assess and Reassess
Threat intelligence only addresses half the challenge. To truly prepare for unknown security threats, organizations must also know as much as possible about themselves and how their organization's security personnel, processes, and technologies will respond when faced with an attack.
Conducting regular assessments can help organizations understand their current cyber resilience and response, and where they may need help. But one-time assessments can only provide one-time understanding. The threat landscape and the organization's security functions are constantly changing in response to one another, so regular assessment (and reassessment) is necessary to stay ahead of the unknown.
3. Keep Resources in Reserve
In the battle against determined adversaries, cyber defenders can benefit from an age-old military strategy to help ensure victory: reserves. Defenders should not have to scramble to muster resources as an attack on their organization unfolds. Instead, organizations should do whatever possible (within reason) to keep some capabilities and resources in reserve (either on a retainer basis or available on an ad hoc basis) in case the designated resources prove ineffective or insufficient.
4. Overplanning = Underplanning
In security, there is such a thing as being too prepared for certain threats, as this can at times leave the organization vulnerable to other types of attacks. Likewise, a static security approach can leave the security function entirely unprepared to quickly adjust security stance to compensate for unpredicted or unknown risks like zero-day vulnerabilities or nation-state espionage. To avoid these pitfalls, organizations should take measures to build flexibility and nimbleness as much as possible into security programs.
5. Don't Go It Alone
It goes without saying that cybersecurity is a team sport, and the above considerations should be taken in this context. Surrounding security teams with a community: trusted partners, providers, collaborators, and information-sharing arrangements can make all the difference when planning for and ultimately responding to the unknown or unexpected.
Buying flexible services with on-demand features or the ability to use credits throughout the year to buy services, especially for cybersecurity education, can be an extremely useful part of the planning process. With the advent of revolutionary attacks and surprise threats, it seems a given that the unfolding evolution of cybersecurity – on the part of both attackers and defenders – will require each side to become more flexible and not less so. In the pursuit of cybersecurity success, be ready for anything.