Cyber Strategy Is Not a Synonym for Tech Stack

By Craig Burland, CISO, Inversion6

Formula 1 (F1) is the pinnacle of motor racing. Winning means staying on the grid. Losing can mean going out of business. The cars, marvels of engineering, cost millions and epitomize automotive technology. But without a skilled driver, a responsive pit team, and a meticulously executed race strategy, that car won’t cross the finish line. Likewise, in cybersecurity, a top-notch tech stack isn’t the sole determinant of success. It requires an intricate dance of skilled people, tuned processes, and a well-crafted strategy to steer clear of digital pitfalls.

Not long ago, I witnessed a cybersecurity event where the victim, protected by millions of dollars of best-in-class technology, floundered with how to respond to an intruder in their environment.  Every dollar of cybersecurity investment had been allocated to technology, leaving them bankrupt in people or process knowledge about how to use the tools at hand.  The organization survived the incident, but it was a teachable moment — an example of lessons that should be learned.

People: The Drivers of Cybersecurity

In 2017, Maersk fell victim to the devastating NotPetya ransomware, bringing its operations to a grinding halt. The company’s IT professionals emerged as unsung heroes during this crisis. Acting swiftly, they isolated compromised systems to halt the malware’s spread, and in an extraordinary effort, rebuilt the entire IT infrastructure—from reinstalling thousands of servers and PCs to restoring crucial applications—in a mere ten days. Their rapid response, combined with transparent communication and collaboration with external cybersecurity experts, enabled Maersk to recover from a situation that could have otherwise spelled disaster. The team’s tenacity and strategic foresight not only restored operations but fortified Maersk’s digital defenses for the future.

Moreover, the human aspect isn’t limited to the IT department. A comprehensive cybersecurity approach necessitates an organization-wide culture of awareness. Gartner’s assertion that over 90% of data breaches result from human error underscores this. It’s not just about having cybersecurity experts on board; it’s about ensuring every individual in the organization understands their role in maintaining cyber hygiene. The parallel in F1? While the driver is the face of the race, it’s the collective effort of the entire team, from engineers to analysts, that determines success. In the cyber world, every employee, from the CEO to the intern, plays a pivotal role in defense.

Process: The Pit Stop Strategy

Processes are the backbone of any effective cybersecurity framework. Processes in cybersecurity act as the glue holding all facets of defense together. A potent illustration of this concept can be found in the 2013 breach of Target. While the breach itself was significant—compromising the personal data of millions of customers—it was the nuances of how it played out that spotlighted the importance of processes.

The attackers initially gained access through a third-party HVAC vendor’s network, demonstrating the need for rigorous processes when it comes to third-party access controls and vendor management. Even as the breach unfolded, Target’s security tools detected the intrusion. However, a lack of an efficient response process meant that these alerts went unheeded. This oversight accentuates how critical processes are: advanced detection systems are useless if there’s no structured protocol to act upon the alarms they raise.

The aftermath of the breach revealed gaps in Target’s incident response plan. The public relations fallout, delayed notifications to affected customers, and the subsequent erosion of trust signaled the necessity of having a well-thought-out communication strategy, encompassing both internal stakeholders and the public. This strategy should kick into gear the moment an anomaly is detected.

Drawing parallels with F1, it’s akin to a car’s sensors identifying an issue but the pit team, lacking a protocol, fails to act swiftly, costing the driver valuable time—or worse, the race. An effective cybersecurity strategy is more than just alarms and detections; it’s about orchestrating identification, response and communication. In the relentless pace of the digital age, a process failure can mean the difference between a manageable incident and a full-scale catastrophe.

Technology: The Race Car

Harnessing technology in cybersecurity is akin to wielding a double-edged sword: while it offers unprecedented protective capabilities, its effectiveness can be crippled if not integrated harmoniously within a system. The 2023 compromise of Microsoft serves as a compelling case study.

On July 11th, 2023, Microsoft revealed that a malicious actor had obtained an MSA consumer signing key, allowing them to forge access tokens for Exchange Online and Outlook.com accounts. While its IT infrastructure has some of the most sophisticated controls available, the attack underscored the pitfalls of fragmented security tools. The various components of Microsoft’s cyber defense operated more like isolated silos rather than a united front. This lack of integration meant that while one security tool might have detected an anomaly, the broader system failed to piece together these disparate alerts into a coherent threat picture, rendering timely intervention nearly impossible.

Using our F1 analogy, imagine a car equipped with the latest brakes, a new power unit and fresh tires, but these components function discordantly rather than working in tandem. Sudden braking might not correspond with an engine slowdown, causing a wheel to lock up and leading to a catastrophic failure on track. Similarly, in the cyber realm, the alignment and integration of technological tools determine the difference between a system that merely looks robust on paper and one that stands resilient in the face of real-world threats.

In Conclusion

The world of F1 racing offers rich insights for the cybersecurity realm. Both disciplines demand a harmonious blend of equipment, skill and execution. As digital landscapes become increasingly treacherous, businesses must ensure they’re not just technologically ready to compete.  They must also be fortified with trained personnel and robust processes. After all, in the race against cyber adversaries, every lap counts, and there’s no trophy for second place.

About the Author

Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Globhttp://www.inversion6.comal Security, and Oracle Web Center. Craig can be reached online at LinkedIn  and at our company website http://www.inversion6.com.