The Curious Nature of Security Evolution: A Tale of Digital Darwinism
In the beginning, there was chaos. And then someone created a firewall, this was still chaos, but now we had blinking lights! “Modern” cybersecurity is born. Yes, I know we had cybersecurity before firewalls but just go with me on this. Let’s explore how consistent incremental improvement to your cybersecurity posture is the best way forward.
Imagine the dung beetle, performing the Sisyphean task of pushing its precious ball of…resources…up the hill of progress. This dung beetle is quite like a security professional, they both exist in an endless cycle of improvement even if those improvements are only small. Never “done” with the work, always working on a new system to fix or controls to implement. The difference between us and the dung beetle is that our ball of security controls tends to gather more moss than dung. Though I suspect we’ve all been able to argue the contrary from time to time.
The Natural Selection of Security Controls
How can we improve from the dung beetle? Well, you can’t, just like the slow march of evolution you’re stuck with it unfortunately. It always has the difficult and endless task of moving its…resources…ever forward into the future.
What we can do, is look to some other animals for inspiration though, even though the dung beetle is an excellent example.
Consider the mighty Emperor penguin. On land, it waddles about like a first-generation security framework. Is it functional? Certainly. Is it elegant? Not even a little bit.
Now, think of a penguin sliding across the ice on its belly. Is it functional? Certainly. Is it elegant? In its own way sure. Is it better than waddling everywhere? Indeed.
Now if you put that penguin in water, suddenly its magnificent! In its element, doing what it does best.
Now let’s compare these our cybersecurity frameworks!
Now our first-generation frameworks came from a land before time…or at least before me. This would be something like the “Orange Book”, this comes from the “Rainbow Series” of books from the US Government in the 1980’s. It was rigid using tick box pass/fail approaches, impractical for commercial products because it was designed for military use, was largely focused on data confidentiality over integrity and availability, it was also part of a 30-piece series which made it difficult to approach holistically. These are the waddling penguins.
Our second-generation frameworks would be something in line with the “Common Criteria” or if it’s in trouble with the orange book “Common Criteria for Information Technology Security Evaluation ISO/IEC 15408” from the late 90’s, intended to unify several standards. This had various levels of rigorous testing and we much more approachable, they could take 12 months or more to complete an assessment, the documentation was complex and specialised, led to a focus on documentation and process and not necessarily improved cybersecurity effectiveness.
After this we have a shift in the early-to-mid 2000’s, we say risk-based security frameworks that were aligned to business requirements. The most noticeable of these being the ISO27001 and NIST security frameworks. This marked a shift from managing security certifications from individual products and moving towards an organisational security approach that we are familiar with today.
The move supported managing overall security processes and having an emphasis on continuous improvement and taking into considerations business objects and non-technical controls for managing cybersecurity. This is where the penguin has started to gracefully slide along the ice.
Most recently the frameworks have diverged slightly again, We have three main groups
- Integrated risk frameworks like NIST Cybersecurity Framework
- Cloud-Native Security Frameworks
- CSA Cloud Control Matrix (Consumer based)
- ISO 27017/27018 (Provider based)
- Zero Trust Frameworks
The above frameworks all had a significant shift towards real-time security adapted to modern business practices, allowing flexible control implementations and iterative improvements. These are our penguins in the water, swift, agile, in there element, just like a perfectly optimised cybersecurity team!
What is the lesson here? Well, we have a few.
- Penguins are cool.
- Context is everything!
- Like the slow march of evolution or the dung beetle, progress takes time.
The Three Laws of Security Evolution
- The Sloth Strategy: Slow and steady won’t always win you the race, but it does help avoid crashing out of the security tree. When implementing security controls, you want to make sure you take your time. While I agree there is nothing quite as fun as watching a vulnerability scan complete, except maybe watching paint dry. Taking a slow and methodical approach will almost always give you a better result.
- The Magpie Method: We know that not everything that glitters is gold…seriously leave the shiny toys alone! Just like Magpies, security professional like shiny new toys. Not all of them need a place in our nest, sometimes the shiny new toy is a well marketed bit of tin foil.
- The Meerkat Madness: Someone always has to be on lookout duty while the rest of the colony…I mean organisation, completes its work. The meerkat must remain vigilant, always watching, the hero that Meerkatham deserves!
MeerMan? BatKat?…Look! A vigilant hero!
Migrating your frameworks
Over time you will find that your organisational security needs evolve, you hope that these changes are not a surprise and that you have significant lead time to understand the changes. Security Frameworks and the impact they can have on an organisation are both complex and nuanced and require time and attention to be properly understood.
For example, “Imaginary Plucky Startup Inc.” is owned by BatKat, its only other employee is Alfredo, a long-time family friend of BatKat. They would likely not have any requirements to meet Cybersecurity standards such as ISO27001 compliance, they aren’t a finance company so there are no PCIDSS or APRA Information Security Standards.
50 years from now when “Imaginary Plucky Startup Inc” has been absorbed into “Global Ultra Megacorp” the multi-national conglomerate that employs tens of thousands across the globe and does business in dozens of industries. Well now there are various cybersecurity frameworks and hundreds of controls to start assessing.
As cybersecurity professionals we can’t just follow our nose and hope for the best. We need to be aware of where we are and where we are going. This helps us guide the company to greener pastures and avoid any inherent risks along the way! This is where iterative security reviews come in.
The lifecycle of a Security Review.
Imagine a butterfly, not because of any profound metaphors about metamorphosis, personal growth, dramatic change or anything like that (something else is coming just wait) but because like a butterfly a cybersecurity review should be
- Systematic
- Lightweight
- Capable of destroying cities with a flap of its wings (Okay maybe not this bit)
A systematic approach to cybersecurity reviews is critical. You want a planned and ordered review of your cybersecurity posture to ensure it aligns to the relevant frameworks for your business. This systematic approach also means that it is repeatable, so you can track your security posture over time!
A lightweight is also required, while the approach must be systematic, you also don’t want your cybersecurity review to take 5 people a month to complete. You should make sure you are capturing and tracking the relevant metrics and gaps so they can be quickly reviewed each time an assessment is required, and you are not left scrambling for answers or unsure of the next steps!
Security reviews should be a collaborative effort, much like a mob of meerkats, there is a hierarchy of both the controls, some are best practices and some are legislated requirements, but there also need to be designated decision makers to resolve differences of opinion. While meerkats may defender themselves by yelling and biting, that approach is not recommended in the workplace.
In conclusion
Security improvements, much like dung beetles, always finds a way. Usually through a pile of…resources… but that’s not the point. The key is to keep moving forwards, leaving the environment more secure week after week, always evolving, adapting your frameworks and processes to the company and most importantly continuing to review your security posture and frameworks.
The aim of cyber security is to beat digital Darwinism, to constantly evolve and be ahead of the curve
In the cybersecurity animal kingdom, we are all trying to avoid becoming the dodo, the slightly awkward-looking cautionary tale of what could have been.
And if all else fails just do what an octopus does – become hyper intelligent, have eight arms to handle your various responsibilities and learn to camouflage yourself to hide from those auditors. Metaphorically speaking of course, please don’t hide yourself or anything else from auditors!
Note: No animals were harmed while making this blog post. Though several metaphors were stretched to their breaking point.
If you’ve enjoyed this content you might also like the blog post series around the Essential 8 here.
