Kieran Norton believes that cyber security is undergoing an important change. As the U.S. leader of Deloitte & Touche LLP’s (Deloitte & Touche) Cyber Threat Management practice, Kieran leads a team of practitioners who assist clients in transforming their current efforts into advanced cyber threat management programs, building threat defense architectures, cultivating actionable cyber threat intelligence and responding to cyber incidents.Kieran also leads Deloitte & Touche’s mobile security service offering, works with fellow service leaders focused on key post-digital enterprise trends (mobile, social business, cloud and analytics) – and is a contributor to Deloitte’s Center for Security & Privacy Solutions. Here, he explains the change, including why your organization needs to know what data is most critical from a business perspective, where it is and how it can be accessed.

Is it your view that cyber security has forced a transformation from this being a technology risk based model to a business risk based model? If so, what are the implications of that change?

Many companies have been caught on a treadmill looking at security as a matter of technology compliance. As a result, significant time, energy and cost have gone into implementing a number of traditional security controls in order to demonstrate compliance with various regulations, requirements and “best practices.”While valuable and in many cases foundational, I think most security practitioners, and increasingly also executives and other stakeholders, recognize that the threat landscape has changed. The security controls we have historically relied upon can be bypassed with relative ease by well resourced, professional criminals who will patiently profile and repeatedly attack their target for multiple years. We read about these events on an unfortunately frequent basis.

A risk-based approach calls for a more proactive, flexible and responsive defensive posture. This means your organization needs to know what data is most critical from a business perspective, where it is, how it can be accessed, why and how it is used, and who outside your organization would find it valuable. It also implies that you need to be looking further out on the threat horizon – collecting internal and external cyber threat intelligence, using analytics to render the intelligence actionable, building smart automation into your security processes to become more agile and enable faster decision-making when high (business) risk threats are identified.

How does the move to business risk from technology risk change the leadership skill set?

The shift requires strategy, people, process and technology change on a significant scale. It requires that the Chief Information Security Officer (CISO) be able to connect with the business to understand the risks that matter most, develop plans and solutions to address those risks, and articulate those plans to executives and other stakeholders in a way that crystalizes the issue and the value of the solution. Empowering the CISO in this way will allow the company to make business focused, cyber-risk mitigation choices – without dragging everyone through the technical weeds.

That said, this is not just the CISO’s issue but requires support and involvement from the entire C-suite. The CISO can serve as a change agent in the organization if he or she has the right skills and full support from the C-suite.

What are the main differences of an organization or security vendor/company switching from a defensive tools approach to an offensive based approach?

You hear a lot about “offensive security” these days. While this is an interesting and constructive discussion, there are many open questions around what is viable and responsible. Any business that decides to take offensive measures may invite legal or civil action or may find itself the subject of a counter attack. In fact, we have seen a few cases recently where adversaries have stepped up the nature and scale of an attack in response to what they deemed as offensive actions.

For the moment, companies should consider an “active defense” – where they are not reactively responding to the tell-tale signs of a successful attack but leveraging advanced techniques to identify the coming threat and proactively respond. This involves leveraging intelligence from internal and external sources, using forensics and analytic techniques to drive faster decision-making and responsiveness to hostile activities in the network, mining intelligence for improved incident attribution to develop a deeper understanding of the origin of the attacks, and tracking key adversaries to enhance future risk analysis. 

Read more Security Talk online at SecurityMagazine.com/columns/SecurityTalk