This question was posed by Saumil Shah, CEO of Net-Square Solutions, presenting on "The seven axioms of security" at ITWeb Security Summit 2017 this morning.
Shah said attacks have evolved over the years, getting more sophisticated, becoming weaponised and politicised, and targeting all manner of devices.
Attacks follow the money, he said. They have evolved since the 90s from servers, to applications, to browsers and desktops, to populations at large. "A single unpatched vulnerability such as the WannaCry ransomware that hit the world last week, can wreak havoc for hundreds of thousands of people."
The advice from security professionals? Take backups and apply patches. "The evolution of defence is always reacting against some threat. We've seen many reactive defence solutions over the years. They work, but only for a short time, as long as clever people are not finding ways to get past them."
According to Shah, attack strategies change too often. "Strategies are not reused in new threat campaigns, nor are the tactics, or the way they are monetised. They adapt constantly, so reactive technologies can only work in the short-term. Attacks succeed because today's defences are reactive."
We have to take defence back, he says. "Actually repel attacks from the network. Security has become a moniker for risk reduction. If you don't know what risk is, how the hell are you going to reduce it? It's vapour-ware. It's about rules, signature and updates, scrambling for the next crisis to hit.
"Today's defence measures do not match hacker tactics. Attackers don't follow standards and certifications. They do whatever they want."
It's time we make security great again, he noted.
"Defence doesn't mean risk reduction, it means keeping the attacker out. The first axiom is that the CISO's job is to defend − 90% of the CISO's time today is spent on compliance. This needs to change. It would be far better to split the role of the CISO into two positions: a security-focused officer who prioritises defence, and a chief compliance officer who handles the compliance side of things."
The second axiom is that intelligence begins by collecting everything. "If you want security intelligence, look within. Observe your own organisation."
The third axiom is called ‘Schrödinger's Hack'. "You have to think in quantum states, because your system exists in dual states − hacked and secure at the same time.
"You don't know till you open the box. Test realistically. You'll only know what's going on if you test, and you should test systems under real-life circumstances."
Fourth, he said, is that if you can't measure it, you can't use it. Make your security measurable − metrics demonstrate whether you are doing well or going wrong, Shah added.
The fifth axiom looks towards users. "We need to discriminate users. Learn from users, you can't apply the same security measures to all end-users. As privacy expert Bruce Schneier says, users will take dancing pigs over security. Measure their maturity, and help them to be better. Shift them towards proactivity."
Sixth, comes the fact that the best defence is a creative defence, as creative defences are unexpected. Look at other, creative, innovative alternatives.
Finally, he says make defence visible, and make it count. Unless you do, no one will know what you're doing − not the board, and not your users. "Make defence measures visible to the business. It improves the maturity curve, and betters response times. Money saved, is money earned."