The concept of security is highly subjective and varies greatly depending on individual perceptions of the functional space and its known threats; this does not need to be the case. Physical security, personnel security, insider threat mitigation, information and computer security, engineered systems and business process design all contribute to a comprehensive security framework. Experts from each area may unintentionally prioritise the importance of their specific expertise — protection against known threats will always seem more critical than unknown ones.
My understanding of security was shaped by reading Security Engineering by Ross Anderson. From this book, I took the idea that safety and security combine to protect against the effects of events arising from error, mischance, and malicious action. Safety and security might be the same concept and share the same word in some languages. However, when a distinction is made, it is apparent that error and mischance are addressed by well-established processes in safety, leaving malice, or the protection against the effects of malicious action, as the domain of security.
Protecting against malice is incredibly complex. It requires defending against adversaries intending to cause harm and with the cognitive ability to develop or obtain the necessary resources and information to achieve it. The challenge is ongoing as adversaries develop additional capabilities, refine their tactics, techniques, and procedures, gather data to target any possible vulnerability and learn from successive attempts or attacks against similar targets, allowing them to reorient their approach. In the field of cyber security, this challenge is even more apparent due to the instantaneous nature of cyber capabilities, which can be weaponised with just a few lines of code and proliferate rapidly. Unlike the production and use of automatic weapons, which took several decades to spread from military to organised crime, cyber-capable adversaries can almost instantaneously copy and distribute information on vulnerabilities or tools to enable their exploitation.
These factors make applying a threat-centric approach, where it is assumed you have a fully comprehensive understanding of the threat capabilities, increasingly more challenging to achieve if possible. But what do we control? The business functions and the organisational systems that perform them. We can engineer reliability and defence in depth, taking a multidisciplinary approach to anticipate the consequences of compromise before discovering any threat capability.
Security, particularly information and computer security, should be seen through the lens of the degree of trust one maintains in the dependability of a function to continue to be performed correctly despite a malicious act against any system supporting its performance. This is not a random failure in safety; adversaries will constantly attempt new attacks to achieve their intentions and seek to subvert the targetted function by intelligently triggering the worst impacts at the most vulnerable moments. The only reasonable response is to orient security as a state, representing an objective that allows the specification of an engineering effort to achieve it.
The degree of trust that given systems will continue to provide a desired function despite a malicious act.
If security protects systems and preserves functions, responsible engineers and business processes, owners must also be involved. To achieve this approach, we must identify an organisation or facility’s critical functions and the systems delivering them, then collaborate across disciplines to assess the possible means and consequences of compromise. We must perform this analysis thoroughly and across disciplines and recognise that much of this information will not exist within any system design. If that is not the case, we will unknowingly implement a lesser security state. Each represented discipline will offer a unique perspective that contributes to a comprehensive understanding of the potential impacts, allowing for effective and targeted protective measures and approaches to detection and response to be implemented, delivering genuine risk reduction rather than just a simulation of it.
Demonstrating absolute or probabilistic protection against malicious acts might not be possible, but reducing the consequences of compromise, and implementing defence in depth to facilitate detection, response, and mitigation of consequences before they can be realised, is within our control. Employing this function-centric multidisciplinary approach is the best approach to maintaining a state of security that is adaptable into the future.