Several weeks ago I wrote about how compliance and audit executives might approach cyber-security risks, and foremost was the point that “cyber-security” should be about developing a strong process to govern the information you have, rather than a series of tools and defenses you deploy to keep intruders at bay. Today I want to revisit that subject from a different angle: from the perspective of the cyber threat, which is also about developing a strong process to govern the information you have—except that someone else is trying to govern your information, rather than you.
This has been on my mind because I just attended the Institute of Internal Auditors’ national conference in Las Vegas, and as one would expect, cyber-security risks were all over the agenda. Everyone talking about the subject hammered on two themes. First, as companies move ever further into the world of Big Data—as we automate ever more business processes and create more data—our exposure to cyber threats will only get worse and worse. Second, the thieves and attackers behind those threats are getting smarter and more agile every day, and right now they’re often smarter and more agile than you.
Enough. Those are obvious points and I’m tired of people making them. We need to step back from the hysteria over our poor cyber-security for a moment and more thoughtfully consider what cyber threats actually are. Then we can start to find useful strategies in the world of Big Data that compliance and audit executives can use to fight back.
Cyber threats are about extraction: someone taking information you have and use it for some other purpose. Usually the threat is a thief who wants to extract money and keep it. Sometimes the threat is a thief who wants to extract something of value (credit card numbers, intellectual property) and sell it, or sometimes the threat is an opponent who wants to extract information and expose it, to force you to do something you might not otherwise do, like North Korea hacking Sony emails to pressure Sony into canceling “The Interview.” In almost every case, however, the activity that happens is extraction.
If extraction is the goal, cyber threats achieve it by creating a false narrative for the process you have—that is, they lead you to believe that a business process is functioning one way, when actually it is not. They lead you to believe that some wealthy banker in Nigeria needs to wire money into your account, when the banker is a thief in a Lagos café. They lead you to believe the program seeking access to your accounting system is the HVAC maintenance firm looking to submit an invoice, when actually “it” is a gang of thieves in Russia mining their way toward the credit card readers at your cash register. They lead you to believe that Sam in the R&D division wants to see the plans for the new guidance system, when actually they are a front for the Chinese Army. In almost every case, the cyber threat works by leading you to believe your business process is working one way, when it actually is working another way.
That point may sound self-evident at first, but the implications behind it are more powerful than many people understand. Why are cyber risks growing? Because advances in computing technology keep letting us automate more processes, and more complex processes—so we are creating more opportunities for someone to insert a false narrative. In 1965, nobody could impersonate Sam from R&D because Sam physically had to walk to the filing cabinet where the plans were kept, and security guards would recognize him by sight. Now we have automated the human element out of the process. We are doing that more and more every day. When your board asks why cyber-security risks keep growing and when they will stop, that is why they are growing, and they will never stop.
The second implication, however, is that if cyber threats want to exploit some process you have, in all likelihood they want to do so with stealth—because a business process is something that happens over and over, so the longer the threat keeps mining away at your process, creating a false sense of security, the more benefit it reaps. A good analogy might be the difference between an embezzler who drains a small amount of money away from the company every day, and a robber who grabs $5,000 from the petty cash drawer and then disappears.
You can employ tools to stop the robber, like an armed guard or a security keypad. You need strong processes to stop the embezzler—and make no mistake, the embezzler is a far more difficult enemy for compliance and audit executives to defeat. Because he is chewing away your business processes from the inside every chance he can.
The good news is that the world of Big Data does offer powerful tools and techniques for you to study your business processes and strengthen them for the onslaught coming. Compliance Week will explore those ideas, here in this column and elsewhere in our editorial coverage, for years to come.
But for anyone who hears the talking heads, including me, keep harping that you need to approach cyber-security “as a process” and you quietly wonder what that really means (lord knows I wondered what it meant for a long time), that is what it means—that the threat itself is a process, trying to subvert yours, and the only way to defeat it is to make sure your process is the stronger.