In a 2015 article, I argued that conventional wisdom in information security management is deeply flawed, because it requires a risk-based approach knowing well that any form of risk analysis – be it quantitative or qualitative – is somehow arbitrary and therefore largely useless. But in spite of this argument, most information officers and managers still continue to ask for compliance and audit (some organizations have even made their information security officer to also become a compliance manager). Most efforts being spent on information security management are therefore wasted, meaning that the respective labor is Sisyphean.
In this post, I want to continue this line of argumentation by proposing something that may replace risk-based information security management anytime in the future. For the lack of a better term, I call it intelligence-driven (instead of “risk-based”) cyber defense (instead of “information security management”).
- The first part of the term should make it clear that any form of risk analysis is better replaced with intelligence, meaning that information security can only be achieved if one knows what is going on in a particular information technology (IT) infrastructure. Without this knowledge, one is blind and doomed to fail. Intelligence is key to anything related to security.
- The second part of the term should make it clear that cyber security takes place in a game-theoretic setting, in which there is an offence – represented by the adversaries – and a defense. A security professional’s job is to defend the IT infrastructure of his or her employer, i.e., make sure that no adversary is able to successfully mount an attack. This job is very comparable to a defender’s job in a soccer team. It doesn’t matter, whether the next offensive is launched by a wing player or the center forward; a good defense must mitigate either of them. There is no use in arguing about probabilities: If most of the times, an opposing soccer team attacks with the center forward, then this does not mean that the defense can count on that and forget about the wing players in the next offensive. Instead, a good defense must be prepared to anything, independent from any probability, and it must be able to react dynamically and situationally. The same line of thinking applies in cyber security: It is mainly about mitigating all possible attacks.
Putting the parts together, I think that future information security management needs to be intelligence-driven, and that the ultimate goal must be to set up a solid and profound cyber defense. It goes without saying that this requires a major mind change in future generations of information security professionals. We have to move away from risk analysis to mechanisms and tools that allow us to gather as much intelligence as possible and to use it properly and wisely. We also have to take the stance of a good defense: Be prepared to anything, even if it is highly unlikely and unprobable.