For Online E-newspaper
The East African : Apr 6th 2015
The EastAfrican 40 BUSINESS APRIL 4-10,2015 MANAG E R To deal with hacke≥s, see you≥ company th≥ough thei≥ eyes value the most: Their customer data, their intellectual property and their reputations. What these attacks reveal is C that our cybersecurity efforts over the past two decades have largely failed, and fixing this problem will require the attention not only of security officers and information technology teams, but also of boards and CEOs. Companies need to take a new approach by looking at themselves through the eyes of their attackers. In the military this is called “turning the map around.” The point is to get inside the mind of the enemy, and to see the situation as they do, in order to anticipate and prepare for what’s to come. Despite spending billions of dollars every year on the latest security products and hiring the best security engineers and analysts, companies are more vulnerable than they’ve ever been. Two trends account for this: The rapid convergence of enterprise IT architectures, and the proliferation of increasingly sophisticated adversaries. Changes in enterprise IT over the past decade mean that every company is now a technology company. By the end of the decade, there will be 50 billion devices connected to the Internet, complicating networks and generating petabytes of data. On top of that, the cloud revolution has finally dissolved perimeters — companies enjoying the benefits of infrastructure as a service must depend upon the security of networks and systems beyond their control. As mobility, the “Internet of Things” and the cloud change enterprises, adversaries are also becoming more dangerous. States and state-sponsored entities spy on and attack private companies, often using militarygrade tactics and capabilities. They do this within a system where offence enjoys a structural advantage over defence because attribution is difficult, deterrence is uncertain and attackers need to succeed only once, but defenders must succeed always. By turning the map around, executive teams can learn a great deal about their own companies, and better prepare for the inevitable attacks. This is how most companies look from an attacker’s perspective: Their security is overwhelm- ingly focused on generic malware detection and protection against automated threats that aren’t being guided with precision. COMMENTARY NATHANIEL C. FICK “The new model of security needs to be about mission and leadership, ensuring that we have the best defenders up against the best attackers. ” They don’t have a full picture of what’s on their networks, the cloud services they’re using, the applications running on those services and the security postures of their supply chains and partners. Their IT and security teams are peripheral concerns, costs to be managed rather than centres that support the core business. Overall, they are reactive, rather than proactive, in their approach to security. Thus, companies should learn from attackers in determining how to defend themselves. Here’s how: them. If security could be calcu- 1 lated, then adversaries would be the numerator. Companies must understand their unique threatscapes to the greatest possible extent, and generic data are insufficient. Effective security must integrate indicators of compromise (have we been attacked?), tactics, techniques and procedures (how are we being targeted?), identity intelligence (who would target us, and why?) and vulnerability intelligence (what is being exploited in the wild?). Only with focused threat intelligence can analysts spend Understand your major risks and how adversaries exploit their valuable time investigating the most important incidents, prioritising those associated with your most formidable adversaries and your greatest business risks. ously. If security could be calculat- 2 ed, then inventory would be the denominator. Companies must identify and monitor all of their interconnected assets: What applications are running on the database servers holding your most valuable information? Did an employee connect a new device to your corporate network? Does one of your distant subsidiaries have a new partner? Periodic assessments, reports that take weeks to prepare and conclusions that require complex interpretation contribute to gaps in security. Companies must maintain a dynamic, real-time inventory of assets, monitor those assets continuously and render them visually in a way that is intuitive for security and operations teams. 3 Make security a part of your mission. The prevailing approach to security is compliance-focused, cost-constrained, peripheral to the core business and delegatable by C-suite leaders. Working on a team like that isn’t fun inside any enterprise, and it loses against 21st-century adversaries who know that it’s more fun to be a pirate than to join the navy. Any defence is only as good as the people doing the defending. The new model of security needs to be about mission and leadership, ensuring that we have the best defenders up against the best attackers. Security is no longer delegatable, and the mission of security teams must be synonymous with the mission of the company. Take inventory of your assets and monitor them continu- yberattacks are growing more sophisticated and more damaging, targeting what companies F≥om st≥ategy to execution By KEN FAVARO Harvard Business School Publishing Corp. IT IS striking how much confusion there is between strategy, implementation and execution. Strategy consists of two catego- ries: corporate strategy and business unit strategy. Corporate strategy consists of CEOs and top executives making three basic choices: What should be the capabilities that distinguish the company? What should be the company’s comparative advantage in adding value to its individual businesses? What businesses should the company be in? These should guide all the deci- sions that a company’s corporate executives, functions and staff make every day. For a business unit, there are also removing them. The term “active defence” has 4 been tarred as a euphemism for “hacking back,” and companies are ill-advised to go on the offensive: First, it’s illegal to access others’ networks without permission, even if you’re acting in supposed self-defense; and second, it’s just not smart to escalate unless you can dominate, and even the biggest companies will ultimately lose against state or state-sponsored adversaries. So while you can’t attack the other team on its own turf, you can be active against adversaries inside your own networks. This means assuming not merely that you are under attack, but that your attacker is inside your network, and so you must hunt for a stealthy, persistent human adversary in order to contain and eliminate the risk. It is easy during these days of frequent and devastating cyberattacks to cry out that the sky is falling, that the very future of the Internet as a trusted domain of commerce and communication is at stake. But it would be wrong to extrapolate the data points of recent years into a line leading to ruin. Too many of us have too much at stake here, and the combined forces of executives, entrepreneurs, software developers, security teams and investors all turning the map around can equip us to defend against this next generation of adversaries. Nathaniel C. Fick is a fo≥me≥ US Ma≥ine Co≥ps o∞ce≥ and the CEO of Endgame. He is the autho≥ of One Bullet Away: The Making of a Ma≥ine O∞ce≥ Be active, not passive, in hunting adversaries and three key decisions that cannot be delegated by its leader: Who should be the customers that define our target market? What should be the value proposition that differentiates our products and services? What should be the capabilities that make our business better than any other in delivering that value proposition? These should drive the decisions a business unit’s management team, functions and staff make every day, including pricing and R&D. Implementing a strategy con- sists of all the decisions and activities required to turn the two sets of strategic choices above into reality. If the corporation has the capabilities, enterprise advantage and business portfolio it wants, its strategy is implemented. If the unit has the customers, value proposition and skills it has chosen to have, its strategy is also fully implemented. Of course, a strategy can never actually be fully implemented; there will always be a gap between where their companies are and what their strategies call for. Closing that gap is “implementation.” What, then, is execution? It is the decisions and activities you undertake in order to turn your implemented strategy into commercial success. To achieve “execution excellence” is to realise the best possible results a strategy and its implementation will allow. The distinctions above are not be- tween thinking and doing, deciding and acting, or planning and producing. All these activities are involved in strategy, implementation and execution. Does that make those three the same thing? Absolutely not. They each involve very different specific activities, tools and people. And when business leaders conflate strategy, implementation and execution, they usually end up with a lot of the trappings of running a modern-day company or business unit - such as goals and targets; plans and initiatives; and mission, vision, and purpose statements — but very little actual strategy, implementation or execution.
Mar 30th 2015
Apr 13th 2015