Monday, May 15, 2023

Cyber Resilience

Mr. Basu's observations are at odds with mine.   If enterprise was more focused on prevention, than for example on insurance, we would not have the successful extortion industry that we see today.  

In the early days of IT we called the security measure of last resort, "backup and recovery."  It focused primarily on human error and disasters, limited to a data center or an enterprise.  As the technology matured and we became increasingly dependent on IT, we called it "business continuity."  It focused on running the business in the face of both natural and man-made risks.  

Today, when our entire infrastructure is dependent upon vulnerable, not to say fragile, interconnected systems of energy, communication, and finance, we call it "resilience."  It focuses on "Black Sky" events.  The risk is to "national security," not to say survival.  

While I grant Mr. Basu the importance of resilience, I suggest that the most efficient way to achieve it is by prevention, by dramatically improving the quality and robustness of our systems.  We need to increase their resistance to both natural events and malicious attacks by a decimal order of magnitude.  Fortunately for us, doing so, both individually and collectively, is efficient.   

We know what to do:

  • Strong Authentication
  • Least Privilege Access Control
  • Process-to-Process Isolation, logging, and authentication
  • Structured Network
  • Application Layer End-to-End Encryption
  • Privileged Access Management
  • Redundancy
  • Data, Application, System, Network, and Enterprise Persistence, Continuity, and Recovery
  • Law Enforcement
  • Other
We lack the vision, the intention, and the will.