I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation is independent in what is a highly cooperative sector.
Currently the Information Assurance aspects of reliance on partners and supply chain throughout the sector is handled through third party assurance. Every organisation assesses and is assessed by every other organisation breeding an expensive and distracting industry of rolling security controls assessments.
There have been multiple attempts by the Big4 and other management consultancies and others (notably Moodys prior to 2008) to establish security ratings similar to credit ratings to reduce the third party assessment load on the sector. This hasn’t been driven by the sector itself and has usually fizzled out due to a lack of critical mass.
The use of SAS70 (And now SSAE16) hasn’t met the need mostly due to the wide variety of control definitions each organisation in the sector deems appropriate for their own use. There is I suspect an aspect of Not-Invented-Here in play.
There is an opportunity for the financial services sector to define and agree a shared controls definition for an independent attestation like SSAE16. This would result in organisations only having to complete a single external assurance exercise each year which should drive up efficiency and allow for the re-purposing of that internal security talent into more useful pro-active cyber security activities.
There have been some advances in other sectors, a number of defence contractors have standardised around Exostar for their supply chain and have developed a shared 3rd party assurance approach for cyber security so such agreements are not impossible.
The other issue with 3rd party assurance is that the traditional security controls assurance approach while useful in addressing commodity threats has been shown to be ineffective and inefficient in handling targeted cyber threats. There has consequently been a rapid growth of cyber information sharing with a threat and attack focus. This is starting to bear fruit in terms of responsiveness and shared defence and is a more effective approach for handling systemic cyber risk across sectors.
Looking at your business partners and your supply chain as a collaborative environment for cyber security rather than a source of risk to be audited for non-compliance is likely to be the more effective approach to ensuring resilience in heavily interconnected sectors.
There should be a focus on developing existing information sharing through developing interconnection and data format standards for cyber security data. We are establishing the trust and now we need to think about talking the same language. There is some good work being done on this by Mitre on Structured Threat Information eXpression – STIX (PDF) but we’re not there yet.
The next stage is to move beyond cooperatively sharing information to sharing capabilities and resources to improve coverage, efficiency and response times. Especially across the smaller end of the sector and the smaller end of the supply chain.
Having a great set of risk analysts or security architects or network defenders or forensic analysts or reverse engineers or other key cyber skill sets is no good if you’re relying on a business partner who has only one or two security staff not filling all those roles. Having an effective and efficient 24×7 SOC with advanced analytics capabilities is impressive until your supply chain is compromised and the first you see of it is when your business processes fall over.
Strategic cyber planning should now be considering how you will capitalize on your investment in cyber security in order to increase the reslience of your business partners and your supply chain. Cyber security is not a zero-sum game.