CDM-CYBER-DEFENSE-eMAGAZINE-March-2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Exponential losses<br />
One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the<br />
debt, or fall below the poverty line occurs at an exponential rate.<br />
Speaking to people who run small businesses, things become a bit clearer as to some of the<br />
challenges they face.<br />
Cyber security needs investment in different areas, initially that is to hire expertise, or invest in<br />
technologies. Neither of which are necessarily the smallest of investments. But when there are<br />
ongoing costs, the cost to maintain security, to undertake ongoing testing. Then, when wanting to<br />
do business with larger companies, the smaller company is usually subject to a 3rd party<br />
assurance process where they need to demonstrate they meet all the cyber security requirements<br />
of the larger company, even in instances where the controls may not be directly applicable. Finally,<br />
in the event of an incident, a company that has already under-invested in security is faced with<br />
loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident<br />
recovery and PR management.<br />
How much Information security is enough?<br />
With such a seemingly endless laundry list of things to consider in the security world, the question<br />
on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a<br />
hard number, you’ll be disappointed. Because the threats and challenges present in the cyber<br />
world represent a moving target.<br />
But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently.<br />
One way to look at this could be through the lens of finite and infinite games, as coined by James<br />
Carse in his 1986 book of the same name.<br />
The idea is that there are two kinds of games, finite, and infinite games. Finite games are those<br />
which have rules such as number of participants, boundaries, time duration, and so forth. After a<br />
certain period of time, a winner is declared in accordance with the agreed upon rules.<br />
If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration<br />
and turn into precisely how urban dictionary describes InfoSec.<br />
Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even<br />
a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to<br />
always be in a position to continue the game.<br />
Continuing the game<br />
Asking companies to continue the game when resources are scarce and they’re living on the<br />
security poverty line. But once you understand the game, the players, the pieces, and the moves,<br />
it becomes easier to plan your strategy. For that, it’s useful to consider the following points.