Cyber security is no different from any other management activity, the theory is straight forward and well known, and execution is very difficult. Research carried out by a joint NATO / industry research team where the UK identified that one key element of high-quality cyber security is world-class service management as the majority of controls used to secure a system lie within the service management realm.
At this year’s itSMF UK Annual Conference (ITSM18) I’ll outline the background to the research and share the results that identify how service management controls fit within a cyber security life cycle. Then, building on this work I’ll show how we need to think more about effectiveness and continuous improvement rather than compliance to give us the best chance of staying ahead of the attackers.
Meanwhile, in this blog, I provide a little background ahead of ITSM18 as to why the two areas of service management and cyber security need to not only communicate, but to collaborate and be seamlessly integrated in all business and IT services.
Bringing Service Management and Cyber Security Together
Cyber security is a general term for the logistics of organising staff and resources for managing the ongoing risk of a cyber-attack. The threat actor motivation is often to gain access to data for the purpose of manipulation, resale or disruption, including extortion, most frequently for financial gain. This is a challenge that the majority of organisations face when moving towards digitising their services, and often arrive at a crossroad between optimising their digital services for efficiency or security.
While the organisation of cyber security defences encompasses a multitude of aspects. The execution of our cyber defence and recovery is underpinned by our service management strategy. For many organisations, cyber security and service management are two different aspects of a business, with different policies, teams, and stakeholders. However, the procedures we implement into our service management strategy directly affect our ability to defend against, and react to, a cyber risk or eventually a breach. This can often be a cause of friction between service management and information security teams, but given the correct execution it can also be an opportunity to optimise for efficiency. Failure to set up and operate both teams in synergy with each other can create an adverse effect, gaining neither efficiency or security.
Why We Need More Than Just Prevention, Detection, and Correction
Managing cyber security is a continual process that must evolve as the complexity and sophistication of our attackers change. Organisations typically pull service management and information security together using best practice approaches such as ISO 9001, ISO/IEC 20000-1, RESILIA, and ITIL. However, there is only so much impact the traditional audit approach for process quality can have on day-to-day business, and when the threat of the risk evolves faster than we’re applying our defences, a new approach is needed. This approach needs to both defend and innovate at pace. It’s no longer the case to mitigate the threat by implementing an effective prevention, detection, and correction strategy. Now all companies need to be forward thinking; staying up to date with the latest threats, communicating with the relevant staff and mitigating the maximum number of threats possible. All the while being expert in operational resilience to respond and recover without (or at minimal) impact to the service stakeholders. The common language of security over the last eight years has shifted from cyber security to operational resilience. Where cyber incidents have become a ‘fait-accompli’ with the frequency, size, and impact of incidents increasing. In this context at least, this is a driver for change from traditional compliance to more proactive risk management and cyber defence posture.
It’s a fine line between optimum information security and service management, the former is inherently just another characteristic of the service. It’s well understood that some information security controls, while prevent some threats, can have a negative effect on business agility. Therefore, we must find this risk balance by designing and executing a strategy that can find the optimum effectiveness and security risk management based on our own and even an eco-systems risk appetite. No longer can these two areas be satisfied with a ‘tick-box’ compliance-based approach. The approach has to consider operational security effect, nee performance, in delivery of security outcomes, irrespective of process.
Consider a physical analogy – you’re an athlete jumping the high-jump. The frame holding the bar is the traditional standard of compliance. How high the bar is set is dictated by the threat actor ability. The defender needs to jump, to perform, dynamically wherever that bar goes – to really perform in an agile manner. Compliance approaches simply miss this performance dynamic.
Thus, process needs to be measurable and from that controllable and manageable. The two traditional disciplines need not only to communicate, but to collaborate and be seamlessly integrated in services – to act in every way as one operational capability. Only with this can they operate in a way which allows them to be forward thinking, actively improving and focusing on continual service improvement, agile service management, inherent with security.