Information security assurance from a resilience perspective
Information security assurance from a resilience perspective

If we accept that our defences will no longer hold against every attack and we cannot therefore
be 100 percent secure, then we also need to think about information security from a new perspective.

Over the past 10 years  the core means by which organisations gain assurance of their information security posture has changed little. The spectrum of security testing - from vulnerability scanning through to penetration testing - continues to be used as the principal method for assessing the effectiveness of our organisations' information security measures.

But what is it that we are gaining assurance on and should we in fact be doing more?

Information security has developed centred around the principles and constructs of risk management.  Risk management has a very valid business application and should continue to be used as a
tool in information security. But approaching information security from the perspective of risk
management has caused it to focus on implementing defences against attacks. The core objective
behind risk management is to identify those things that may harm you and put in place preventative
measures. For information security this has resulted in a heavy focus on preventing attacks by
implementing security controls. This is further reinforced by standards such as COBIT and ISO27001.
Naturally, assurance efforts have evolved to reflect these practices and security testing continues to
focus on testing our defences.

The world of information security is fast changing. New technologies emerge, threats evolve and new
vulnerabilities materialise. In response, for many organisations their approach to information security
has also evolved. For many the continual battle to maintain a fortress of defences is now out dated
and it is becoming increasingly accepted that to do business in today's world you cannot be 100 percent 
secure. As a result, organisations have widened their approach to tackling information security
threats to encompass not only defence, but also an ability to detect an attack, and react to it before
finally recovering.

These three core aspects when put together with defence form a more holistic approach to
information security that affords organisations a more resilient approach to tackling these threats.
Obviously prevention is better than cure and putting in place defences against attacks should always
be a priority. However, accepting that these defences will not always work can be a challenging
position, given the heavy financial investment and organisational buy-in required to deploy defences.

Nonetheless, many high profile attacks continue to show that defences are not impenetrable. As a
result, organisations need to focus firstly on having an ability to detect an attack. Once an attack is
detected they will then need to be able to react to it and recover from it. As these additional areas of detect, react and recover have evolved, some organisations have sought assurance that they are effective. Up until now, this activity is limited and each area is tested in isolation. Yet, we expect the system to work as a whole when it is needed for real.

Can the isolated assurance that is currently gained over these additional elements therefore really be effective? Does it actually provide assurance that in the event of an attack the system will work and the organisation
will be able to effectively respond to an attack?

Security testing alone will not tell an organisation how well it will respond to an attack. The system as
a whole needs to be tested. Security testing will form a key component to this but the additional measures also need to be encompassed in information security assurance. If we were to start to approach information security from the perspective of resilience, the system as a whole will be considered and the assurance measures undertaken will reflect the more mature information security posture adopted by most organisations. Consequently it is now time to start testing for resilience and not just the ‘security' of defences.

Contributed by David Stubley, CEO, 7 Elements

Also see white paper on ‘Information Security Assurance from a Resilience Perspective'.