Skip to content

Maintaining an effective cyber posture during times of rapid and widespread change

Best practice

12:00 Sunday, 04 October 2020

UK Cyber Security Council

Change is inevitable: if you wait long enough, even if you’re not doing anything, something around you will change. In business, change is essential: if you stand still in absolute terms, you go backwards in relative terms. As Sir John Harvey-Jones is quoted as saying: “If a business isn't changing, it's dying”.

Change comes in two flavours, then – change you can control, and change you can’t control – and every organisation will have its share of each. So how do you keep your cyber security posture relevant and sufficient in the face of ongoing change?

Priority one is to have solid controls around proactive changes such as introducing new product lines or service offerings, or acquiring another business. In recent years we’ve begun using words like DevOps (where from the very beginning the development team who are making something engage the ops team who will be running it once delivered) and DevSecOps (where both of the above take the security team along for the ride too). Any regime of proactive change – technical or not – must include the security team to ensure that the level of cyber security is not adversely affected by the change.

Priority two is to invite the security team to the party for reactive change where there’s still a reasonable level of control over what’s happening. Perhaps a competitor has put out a new product and your company needs to rush something to market in order to salvage some revenue. Although there’s a balancing act between speed to market and security posture, it’s your own organisation that controls that balancing act, and so with sensible policymaking by involving the security team in the process you can maintain a workable, though probably not optimal, security posture.

These are the top priorities for a simple reason: if you can control something, you can plan for it – with the obvious caveat that in reactive situations you can’t foresee or plan for absolutely everything. The concept here is precisely the same as that for incident response or disaster recovery: you plan for the things you can predict so that when change happens it takes little or no thought or debate to take the pre-planned actions, leaving almost all your collective brain power to think about how to address the changes that you couldn’t plan for.

On a busy pedestrian thoroughfare, a man sits absolutely still while meditating, as the world blurs around him

Which brings us to priority three: consider what could change in a way that you don’t have control over. The COVID-19 lockdown is a classic example: although it couldn’t reasonably have been predicted, some of the effects were entirely predictable as they could be caused by any number of events other than Coronavirus – offices being unusable, disease outbreaks among staff, travel being difficult or impossible, and so on. So even if you can’t control any of these, they’re predictable – after all, even if they don’t happen to you very often, they happen to others all the time – and so you can still have plans in place to mitigate them, and those plans can be made with the security posture in mind.

The fourth and last type of change, then, is the genuinely unforeseeable event – the type of event that is highly unlikely to occur but which, if it does, will have catastrophic impact. The Channel Islands came close to such an event in 2016, for instance, when three of the primary telco’s four off-island data cables were cut by a ship dragging its anchor along the seabed . No matter how resilient you make your systems – with resilience built on resilience built on more resilience – there is always that infinitesimal chance that everything could fail. Similarly, no matter how many layers of security you build in, there is still a chance that something could penetrate them all.

The solution? People. If you want to cater for rapid and widespread change, you need enough people, and they need to be of two kinds: those who have the knowledge and training to follow the plans and procedures for the top three types of event; and those who are knowledgeable, flexible, reactive, logical and capable and can react to the events that you couldn’t plan for.

Because although you can plan for most eventualities you still need enough people to execute those plans, and you’ll be grateful for people who can figure out the answers for the events you couldn’t plan for.