Whatever status in Information Security you have reached, there is always a next step to do, because the environment and technology is constantly changing.
We refer to Information Security as the "Infinite Game", why?
From other areas of life outside IT (e.g., management, military), we can learn and use findings and strategies about the topic within information security to help us understand and find solutions, therefore we are quoting the author Simon Sinek ("The Infinite Game: How Great Businesses Achieve Long-Lasting") and we are adapting his ideas for a successful enterprise to the field of Information Security.
There is a distinction between "finite" games (e.g., soccer with clear rules, defined participants, playing field, duration and a clear goal) and "infinite" games.
In the "infinite” game, neither the number of participants, nor the end, nor the rules according to which the game is played are fixed. Too, the goals are unclear, there is no "end game", each participant defines his goal for himself. You might have goals like "join in", "earn money", "industrial espionage", "disturb competitors", be the "first", "fight boredom" or simply "survive". An individual player's lead is not permanent; his status constantly alternates between "ahead of the others" and "behind."
In information security, it's analogous
There is no beginning and no end, there are no boundaries, starting from the plant site to the employee's home office, no physical boundaries are relevant. The theft or manipulation of data, which has often been purely physical, is multiplied by connectivity to the Internet. Internet threats include malware such as computer viruses, keyloggers, Trojan horses, phishing emails and other attacks by hackers, crackers or script kiddies. The cloud opens up completely new options for the actors. The players change, from lone hackers to industrial espionage with professional teams from any country (Russia, China, etc.) to state intervention by intelligence agencies or authorities or environmental activists.
Other trends, such as digitization with more and more software solutions in all areas of life, broaden the starting points for third parties, make it more difficult to close vulnerabilities or - purely for reasons of numbers - hinder patch management for updates (e.g., Microsoft Exchange) with security-relevant improvements.
The spread of the Internet is a good example of this. The beginnings of a once closed circle of users at university level, then an international network for redundant operation and shared use of computer resources, today a worldwide network with global significance, which can no longer be imagined without!
It is also important to maintain a balance between security and the ability to work and adapt quickly. Furthermore, compliance and business continuity are important aspects for the existence of the company. But it is not only about IT, but about the entire information security, IT security is part of every planning and measure in IT and is fundamental for compliance in the company. Ultimately, it is about the goal of resilience in the enterprise for the area of information security. Only if I have a resilient organization in this area, if my own business continuity is secured in the field of information security, can I survive in the long term as an inventor, manufacturer, service provider, employee, manager and ultimately as an entire organization.
What does this mean for management?
So if information security is an "infinite" game, what does that mean for information security in the context of the enterprise is, that you can't play a "finite" game (or business) on an "infinite" playing field without losing your resilience, whether in terms of IT security, information security, or even business. The "game" goes on and on, and you have to stay flexible to follow it.
The bitter thing is that you can't get out of the game either, you have to make the best of it. In addition, you have to accept that you can't anticipate all threats that you don't yet know about, and you don't have the right people, technologies, organizations and budgets in place for all issues on an ongoing basis. For this reason, it is best to work with concepts and default settings that make misuse more difficult or prevent it from the outset (security by design, zero trust security model).
It is necessary to readjust one's internal "mind set", which does not see information security as a threat, but rather to see the challenge as promoting the company's development in line with its needs.
An organizational model must be found that takes both short- and long-term aspects into account, that creates structural preconditions for benefiting from the expertise of internal and external experts, and that implements a compliance culture. Then it is no longer a matter of laboriously "reacting" to information security issues, but rather taking advantage of the dynamics; information security must move from being a "brakeman" to a "change agent"!
Building blocks for ongoing adaptability
So, if there is no "one" switch to flip in the constant change of the "Infinite Game" in order to withstand the ever-changing environment, how do you get a handle on it? There are the following building blocks to be applied ALL TOGETHER:
Formulate visions that you stand for
Courageous leadership
Culture of trust and knowledge
Competition with others
Flexibility in action
Use standards and concepts
Adapt behavior
1. Formulate a vision to stand for
Work with your employees on a vision in the area of information security that is not an end in itself, but whose content and goals are clear, understandable as well as comprehensible for every employee and for which they can identify (cf. Simon Sinek "Just Cause").
The vision should
contain a positive vision of the future, it should aim at something and not be directed against something (e.g. competitors)
be so open that everyone in the company can join in striving for it, no group or individual should feel excluded
be customer oriented and not an end in itself
be stable and outlast changes on political, technical and cultural levels
be idealistic and strong, it can also be an impossible "vision" if the goal (Perfect Information Security) is never really achievable because the environment, technology, etc. is constantly changing.
The goal for information security must be that everyone lives the vision, not for the sake of superiors or rules or fear of punishment, but for the sake of the common goal. Even if the goal is ultimately never attainable, the gradual achievement and steady progression can show up as motivation for employees. And the vision must be exemplified and experienced top down, they must fit the culture of the organization. Only then will they be lived and fulfilled!
2. Courageous leadership
Management must lead by example and motivate in information security, pursuing both short-term and long-term goals that serve the company as well as individual employees. This is not always easy, because introducing rules and measures, balancing investments or technology decisions is a constant challenge, also from the perspective of the interests of the various stakeholders.
At the same time, the goal of introducing an ISMS based on ISO 27001 is a very real task, and the award of a certificate is a clear result that may create more security internally and externally, be demanded by customers, or be perceived as a positive signal by the market.
Unfortunately, the specific problem of many information security threats is that they are not "real" until they have actually taken place, i.e. they really cost money, time, effort and reputation. But it is not certain that they will always happen. It takes courage to stick to the goals and, if necessary, to make investments whose current benefits are not very tangible.
It is also the responsibility of management to show employees that they themselves are an important part of the organization's information security. They are part of the team working on the vision and thus have a part in realizing the vision, which is a much larger and more important task. And they are not just here to do a "share" of the task!
3. Culture of trust and knowledge
One of my former bosses coined an extremely sensible and pragmatic rule in the whole corporate culture and all target agreements, which I have never forgotten and which I consider sensible here as well:
"Intelligent usage of communicated agreements".
What does this mean?
Employees must have agreements (sets of rules, specifications, standards such as DSGVO, ISO 27001, ISO 9001, etc.) that must be explained and made aware to them so that they can act on them. Not literally every specification applies, because the environment is constantly changing.
But the employee is trusted with the knowledge and commitment to think carefully about what he or she is doing and to check what is in the best interests of the company. And the employee receives the appreciation that he can be personally responsible as part of the company and team and make his contribution. In this way, he protects "his" company, its assets and the workplace of many colleagues, ultimately also his own.
A culture must be developed that allows every employee to think about the topic of "information security" when developing, when entering the plant premises or even when observing errors or criminal acts.
The goal is not to pillory anyone, but to identify and prevent wrongdoing, ultimately helping and stabilizing the organization for the benefit of all. Open and fair feedback rounds (360°), whistleblowing platforms, ombudsmen, confidants, etc. are organizational tools that play an important role.
The rules and regulations must therefore be appropriate, state of the art, and must be continuously developed and communicated. The corporate culture must be continuously optimized, developed, communicated and lived, from top management down to the unskilled worker!
4. Competition with others
Ultimately, organizations have to survive in the market and need capital for operations; they have to produce, sell and continuously optimize products and services, compensate their employees appropriately, while also acting economically and taking customer interests into account.
All companies have to work at this, even a market leader has the task here of staying "ahead", because market competitors are lurking to exploit errors or gaps in the program. And the markets themselves change or technology pushes lead to dislocations. A good example is Nokia, once the world leader in cell phones. This then proud company had the technology and the experts to make smartphones, but completely slept through the transformation to smartphones and then couldn't catch up (Kodak is analogous).
Only the constant change of technology, society, environment, requirements and the competition in the market makes companies perform well, also in the field of information security and if the competitiveness remains, a company has "earned" the existence. In the competitive environment, information security is not a burden that can be neglected, but an asset.
Or, all other things being equal, if you had to choose between two data centers, would you award the contract to the company without a valid ISO 27001 certificate?
5. Flexibility in action
Let's assume you have implemented a stable IT environment, up to now you have provided everything internally, mobile workstations were only in sales and service.
But suddenly, in the pandemic, 80% of your employees are working in home offices and also in important areas and critical areas (Finance, HR).
So you have to respond, but what would you expect from a team that is very Lean, has been working with the same technology for 10 years, and is reaching great maturity?
Surely they trust the team to do everything necessary in the segment, these are good and dedicated people, but what if conditions change quickly as they did here in the pandemic?
Will their colleagues still be able to act and be prepared for all circumstances?
Are their security professionals equipped to handle the multiple and ever-changing threats to so many colleagues?
Do you have enough capacity on board, both qualitatively and quantitatively?
Do they have the right playbooks to intercept threats from different fields?
Have you been able to answer YES to everything? Fine, but if not?
Things are constantly changing in information security as an Infinite Game, so it's important to position yourself with the flexibility to manage threats, respond to technologies, and respond in a targeted way with the right personnel.
Think about whether all of this can be handled internally, and if so, whether working with external experts or service providers will make you more flexible and technically capable. This does not have to lead to the disempowerment of internal IT; rather, it can lead to an opening for new topics and thus have a motivating effect on employees.
For example, an external Security Operations Center (SOC) can quickly help them with the right expertise, which may not be available internally, or not quickly enough, or may be occupied with other tasks, but then neglect other important tasks. Or, an external information security officer can go a long way for mid-sized companies without building additional capacity.
Be flexible in your organization and actions, rethink organization and concepts, and - depending on the context and criticality - have a strategy for providing information security services developed that is tailored to your company.
6. Standards and concepts
Looking at many possible concepts and standards, I would like to point out just the few major aspects:
Zero Trust Security Model
Put simply, until now, access has often been granted to the employee who is currently active in a network with the right hardware, but this could be stolen or the password compromised. This level of trust is questionable in an age where systems and data are accessed from anywhere and through a variety of media. Faced with a network now considered potentially compromised, one first assumes to trust NOBODY (Zero Trust) and creates a suitable architecture. A Zero Trust Architecture (ZTA) is an organization's cybersecurity plan that uses Zero Trust concepts and includes component relationships, workflow planning, and access policies or checks (e.g., location of access). This model is considered highly secure and is used in enforcing accurate per-request access decisions in information systems and services.
Simplified, the key principles behind zero-trust architectures are:
A single strong source of user identity
User authentication
Machine authentication
Additional context, such as policy compliance and device state
Authorization policies for access to an application
Access control policies within an application
Security by Design
What happens after damage has occurred? In addition to gathering information about the damage or who is potentially "at fault" or deflecting blame ("I'm not responsible"), a root cause discussion occurs among employees and management about what caused the damage and what could have been done to prevent the damage.
To illustrate this, I like to use a (somewhat pointed) example:
A child fell into the well and unfortunately drowned!
Now which would be the precautions that one would have liked to have used before:
Cover the well or install a safety net
Build a fence around the well
Teach children to swim and make swimming lessons compulsory
Inform children about the risks
Put up a prohibition sign "No children allowed".
Threaten children with a fine for falling into the fountain
Threaten parents with a fine if their child falls into the fountain
You notice that absurd discussions quickly follow this tragic event. Transferred to information security and the security of IT systems, we find that in many cases solutions are in use on site that
have grown historically and no one really knows about them anymore
did not have security in the foreground
were developed under time pressure
have few restrictions due to flexibility
have implemented weak security solutions
for the purpose of faster access and use in the team are provided with ancient group passwords that everyone knows
disregard all rules out of personal loyalty or experience ("nothing has ever happened before").
Therefore, a serious improvement of security must always include the consideration of avoiding risks, to exclude the prevention of damage from the beginning through good design of a solution or appropriate measures.
A helpful policy is the "Least Priviledge Policy", i.e. the reduction of the rights of all employees to an absolute minimum needed for their ability to work and all extensions or changes are only made possible in a controlled process.
Norms/Standards/ISMS (ISO 27001, TISAX, BSI Grundschutz, DSGVO)
The use of norms and standards is advantageous; in this way, the experience and knowledge of many experts flow into the company.
And a well-structured information security management system (ISMS) is an optimal basis for the effective implementation of a holistic security strategy. Here, management has several options that are helpful depending on the context of the organization, the internationally recognized standard "ISO 27001" (or for the automotive industry the standard TISAX) or the German standard of "BSI Grundschutz". The application of these standards offers not only the possibility of certification - oriented to the needs of the market - but also helps to improve the organization, which alternatively would have to be laboriously developed internally.
The GDPR brings further benefits, because even if the law is viewed critically by many because its application involves effort, it creates clarity in the objectives and activities that serve the security of personal data.
See it as an asset and not as a hard mortgage! With using the rules you will have a high security standard for data of customers and employees! In addition, already done "homework" in the area of GDPR lead to the simplification of further measures for information security, because the foundation has already been laid.
Adapt behavior
Assume that things always happen in Infinite Games that have not been there before or not yet in this dimension, both technically and in terms of time or even organizationally. If a situation is new to everyone, it takes time, be aware of that fact!
The threats of "Emotet" were nothing new when seen in individual detail, but in combination they were an unprecedented threat. And phishing or ransomware is also nothing new, but has reached a new dimension in times of the home office and with increasing digitalization. When an incident occurs, it's important for IT management to talk to IT professionals and for "non-IT" professionals to talk to the security team about the issue, you have to use the organization or other professionals. They all need to be able to listen to each other and if someone doesn't understand the issue even due to lack of knowledge in detail, have them explain it as simply as possible. Keep asking questions until the context is clear!
If necessary, call on external support, approach the BSI experts or use forums or specialized security service providers. Furthermore, there is literature that is understandable for non-experts, which can be used for many cases (Cyber Security for Dummies*).
Once a situation is sufficiently understood by everyone, it is easier to work on solutions!
Critical remarks
The above tasks within the building blocks are not easy to solve, under the dictates of time, budget and human capacity, compromises must be made, there is no perfect solution.
But you have to iteratively pursue and develop these goals. If you omit one of them in the long run, you will not achieve your goal of resilience, but will invest all the more in other areas to make up for the shortcomings. Technological or commercial advancements often go faster in our IT world than the - in itself desirable - analogous advancement of security.
If users knew about the security of the application, the risks and their data, many services would not be implemented and hardly used due to lack of demand! Trust in providers and platforms is an important asset, but not always justified with knowledge, gained information, understanding and time constraints. Human weaknesses and characteristics (trial and error, "want to have", ignorance, desire for new things, playfulness, cool features), real functional advantages (e.g. Wikipedia, apps for health, service apps) and commercial or criminal activities often form a "virtual" alliance in exploiting the situation to take advantage in the market.
And the global or national legal framework is sometimes completely lacking, not always sufficiently applicable or implementable, or defects / problems / criminality are not traceable or actionable, or simply too slow compared to the technology.
Information security managers should always keep in mind that if you are highly committed to information security in the company, you will not always make yourself popular. But if you want to achieve that, you should also ask yourself if you have done enough for the company and/or security!
Conclusion for management
Trust is a valuable asset!
You can't do without trust in companies and their information systems, but this trust is also quickly squandered when incidents occur that are not addressed, resolved and avoided for the future. Regaining trust takes longer than maintaining it, and it may not be possible at times.
Don't let it get to that point!
What remains?
At the end of the day, please allow this question to ask yourself:
For what do you want to be remembered?
Do you want to be remembered as the person who - against many odds - saved the most money in the area of "information security", leaving the company with more profit in the short term, but in a daily struggle and risks that are difficult to manage, as well as a poor culture in information security and a bad security image in the market, including worse long-term earnings?
Or do you want to be remembered as the manager who laid the foundation for proper information security in the company, which - even if you already retired - will benefit later generations, the company culture, the employees and the customers as well as the company's image?
Author: Klaus Kilvinger