CEOs: 3 questions to reduce cyber experts to jelly

This is a contributed piece by Andrew Nanson, CTO of cyber at CORVID


Technology has opened up many new opportunities for attackers and to understand them all in-detail you would need to be deeply immersed in the subject of cyber-security. But that does not mean that chief executives of today should be totally reliant upon experts who have previously worked within the intelligence community. I'm yet to come across any self-professed cyber expert who does not claim to have previously worked in the intelligence community.

And so, with these three simple questions every CEO can reduce most cyber experts to jelly:


Question 1: "How many attacks got past our firewalls and anti-virus this month?"

There is a slight problem with firewalls: people think that they prevent attackers from hacking into computer systems. Perhaps they did 20 years ago. But attackers have evolved in the last 20 years and now use different techniques to evade firewalls. So you need to have one, but they don't necessarily stop people being from breaking in to your systems.

Anti-virus is a brilliant piece of software and a fundamental application that no computer should be without. One-snag: it won't always stop computer viruses. You would think that this is exactly what it would do. It's called "anti-virus" after-all. However, the anti-virus software can (in the main) only stop viruses and Trojans (all types of malicious software that we call "malware") if it has seen it before.

If it is a new type of malware, or even an old one which has had a little bit changed, then there is a very good chance that your software will not detect it to begin with. This is not because the software is bad, or even because the anti-virus company does not know what they are doing. The chances are that if it was up to the geeks and propeller-heads within each anti-virus company then the anti-virus software would stop almost every type of virus possible.

The problem is that to do that it would also end up stopping a whole bunch of applications that are not viruses. You see if the anti-virus company has not seen the virus before then it needs to use a technique (often referred to as heuristics) where it looks at the behaviour of the application. If the application does something that could be bad, then the anti-virus software would like to stop it and prevent it from functioning. However this results in a lot of "false-positives" (categorising a harmless application as a bad one) and would frustrate and possibly scare users.

Consequently the anti-virus companies all tend to be a little bit cautious about what they identify as a virus. If they are 100% sure that it is a virus (because they've seen that exact piece of malware before) then they will normally be able to stop it. But if the software is only 80% sure that it is a virus, then it will probably say absolutely nothing to the user. Of course the other problem is that all the attackers test their viruses and malware against the top 10 anti-virus products before releasing them, just to be sure they are going to work. The chances are that if the malware has only just been released, no anti-virus product will be able to detect it for at least a few days.

So when a chief executive asks the question "how many attacks got past our firewalls and anti-virus this month?" they are essentially saying: "I know that firewalls and anti-virus will not prevent all the attacks. How are you detecting the ones that cannot be caught by these two mechanisms?"

At this point I should warn you that if your security lead repeatedly tells you "none" over a 12 month period then either you don't have any computers, you don't have any users, or you don't have a security lead that knows how to detect an attack. There is a very remote chance that you never get compromised. It is possible. Mathematically at least.


Question 2: "What are we doing to reduce the window of opportunity for an attacker?"

If you have a strategy that assumes you can prevent attackers from ever getting into your system, then you are probably spending around 50% of your revenue per year on cyber defence. Assuming you are not the NSA, then it is more likely you are spending around 0.1% of your revenue on cyber-defence.

Preventing all possible cyber-attacks is, at best, a very ambitious strategy. Let me put it another way: it is highly unlikely to succeed. If you have a computer system that is completely separate from the Internet and never connects to it ever for anything and does not have network connections to any other company or device that does connect to the Internet, then you may have a chance. But new attack-vectors are being developed every day and it's obviously cost prohibitive to prevent attacks that most defenders have never even thought of. It is much more likely that your security lead (whether they have articulated it or not) is following a strategy along the lines of:

Prevent attacks where economical to do so - detect the ones that are not - recover quickly and efficiently from all attacks.

So the question becomes: "I know that any strategy that assumes that you can prevent all attacks from ever getting into our company is going to fail. I also know that relying on anti-virus and firewalls as the only detection mechanism is a weak strategy that the attackers are already prepared for. In business terms it is important that attackers are detected quickly to reduce their impact on computers that have been hacked. So what are you doing to reduce the time they have (window of opportunity) between getting into our computers and being detected?"

Of course there is a risk that your security lead then tries to use this as an excuse to increase budgets, or come up with lots of technical jargon that makes no sense (even to cyber professionals!) as they may feel quite threatened by this question. If the security lead is relying on anti-virus and firewalls to protect your computer systems; then you probably need to find this out sooner rather than later.


Question 3: "What is the average cost per security incident?"

If you add up the costs for all the firewalls, anti-virus software, cyber-security experts, special security software, specialist consultancy - essentially the entire budget for IT security and divide it by the number of incidents that were investigated per year what figure do you get?

If the cost is greater than £20k ($30k) per incident then you may have a problem. You may be spending a lot of money on cyber-defence; but is it being spent appropriately? Are you spending too much money on technology that does not produce real improvements to your security situation? For example if I go on an adventure holiday, spending a fortune on mosquito defences may sound like a great idea, until you realise that my adventure holiday is in the Arctic. It's the same with cyber defence. Spending money is easy. Spending money so that it makes a positive impact is difficult and challenges the security lead to understand how to get the biggest improvement for the lowest cost.

This question is challenging their entire strategy without having to know a single thing about technology. But it is vital that all cyber-defence strategies have a measurable output. Cost vs. benefit is probably the best metric that can be used and will really test all elements of the cyber security approach.


« Lotus F1 factory: Renault deal and pit stop try-out


How David Bowie anticipated Web 2.0 »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?