Ever wonder why Stuxnet was so efficient? .
Could it be that Stuxnet’s creators had such a deep understanding of industrial processes that they were able to simulate the introduction, wide spread and stealthiness of this worm? I bet they had a much better understanding of these processes than the target’s own security officers and risk managers!
How many Cyber Security and Business Continuity professionals out there have been able to delve into the details of business processes?
How much time did they spend with process owners? Were they lost in translation while trying to collect the latters’ needs in terms of Confidentiality, Integrity, Availability and Traceability?
How did they manage to break the ice with business lines representatives that are fed up with technical jargon and that have been a long-time victim of “death by PowerPoint”?
How many practitioners have adopted “visual thinking” techniques to traverse silos and engage in a constructive dialog with the only parties capable of evaluating the business impact of a given breach or incident?
How many practitioners consider data classification as a daunting, insurmountable endeavor? How many have really tried to overcome this “hurdle”, as they put it? How many have tried to traverse corporate silos?
Have we yet reached the intimate belief that we cannot achieve efficient Information Security and Business Continuity without a clear understanding of business and industrial processes?
The key is to see clearly how data flows through people, process & technology and this can be achieved through one or more of these techniques:
Either you start with a blank or a pre-drawn BPM page with all stakeholders being at the table, CISO, BCM, Risk Manager, Business Lines, CTO, CIO, HR, … and use some sort of visual thinking and common language, take a snapshot of your current processes, involved actors, flowing data, internal and external interdependencies, supporting assets, etc.
Either you go through some automatic process discovery and try to reconstitute the business workflow through structured and unstructured data management and analysis.
Either you abide by a formal and structured way of communicating the logical and physical relationships and dependencies between IT assets and resources (Ownership, Business Processes, Applications, Systems, Hardware, and Infrastructure) to define the business services of a modern enterprise or industrial site.
We are pretty sure there’s no other way around to get a good grasp on Information whether it is processed, transported or stored in ever-growing Information and Industrial systems.
It’s up to you to see which of these three approaches is your lowest hanging fruit. Stop complaining and lacking behind! Break your political isolation and go out to the business to gather their security requirements!
To survive in the Cyber Space, Offense and Defence must inform each other and silos must fall!
Out-engineering attackers will only be possible if we master our business and industrial workflows!
Your comments are more than welcome!