Leading cyber security professionals are clear: nation state attacks can be of such scale and sophistication that it is inevitable that sometimes one will beat the defences of even the most sophisticated outfits.
The focus then is on businesses: to reduce the likelihood of an attack, be able to recover as quickly as possible, and to minimise the disruption. The limitations facing companies run across the scale of the threat, budgets and operational requirements.
Avoiding cybersecurity relegation
In some ways it is a bit like managing a team in sport; the opposition may be difficult, there is a balance between defence and attack, and the board will want to know on what the money’s being spent.
When it comes to cyber attacks, we often hear language focused on shifting blame or claiming there was nothing to be done to prevent them. A distant echo of the common sports excuse: the opponent was ‘unstoppable’ or ‘unplayable’.
For any event, re-treading every sequence of events, regardless of the field, can reveal an action or inaction that can be identified as a mistake. Both the Royal Mail and Latitude Financial attacks may have been prevented by different approaches to their cyber security.
To continue the football metaphor, a pundit recently criticised Liverpool during a Premier League game for giving an opposition forward too much space. Later, he accused the team of marking the other side too closely. In the same way, a business risks cyber security breaches for inaction and then being pilloried by other parties for doing too much. It’s a delicate balance.
Parking The Bus
We must consider the competing demands of the business. Repeatedly, more forthright insureds explain that they can never make their businesses 100% secure. There is a trade-off between enabling the business to trade and cyber security.
Making their cyber posture impregnable at the expense of everything else would be simpler. That is not feasible - businesses need to operate. So, the trade-off will always exist between making systems functional for employees and customers, and making them secure.
If football teams focused completely on defending, there would never be any goals. If businesses took the same approach to their activities, it could affect their ability to conduct business. The fact that they need to do both at the same time is what makes it such a challenge, perhaps one that is unlikely to disappear soon.
The scale and intensity of nation state attacks would seem analogous to playing against the current English Premier League champions, Manchester City F.C. Highly professionalised and well-drilled opposition packed with such skill, intensity and hostility that you have to be constantly on your guard in order not to be overcome by them.
With this persistent pressure, it’s inevitable that the strain would tell and a mistake may occur. The key here is for the team to remain calm and not let a mistake become a crisis. This seems to be a significant focus for leading companies; conceding the first goal must not lead to a rout. This is key in reducing the severity of the attacks that are not stopped.
Talent management [or: Zava is not coming to save you]
Finally, just as most coaches have limits on the budget for talent – companies can only commit so much of their spend to cyber security versus other areas of the business.
Every department will always want additional resources to aid their task. To quote Jose Mourinho, two-time champions league winning head coach: "No eggs - no omelettes! It depends on the quality of the eggs. Some give you better omelettes. So, when the class one eggs are in Waitrose and you cannot go there, you have a problem."
The question is: will companies invest in top class security or cut back and risk relegation and the accompanying threat to the survival of the company?
Don’t blame the ref
Every company will draw the line differently. It will no doubt ebb and flow with the cyber security environment and the state of the economy. Preventing and minimising the impact of nation state attacks and behaving responsibly is vital.
Nothing will improve while the stock response to these events continues to be the equivalent of blaming the referee or the state of the pitch.