Funding limitations are a reality all CISOs and their teams must contend with, but the cost of securing the enterprise is too often considered just on the basis of hard allocations—the tools, time, and resources needed. Intangibles and opportunity costs must be considered as well. Is the return on the investment of resources to build that next application feature greater than the costs of an inevitable breach and the reputation and brand harm it has created? These can be complex and challenging questions for any organization, but they are the types of questions that all companies should become more comfortable answering.
And they pale in comparison to the complexities and challenges of ever-expanding and complicated networks, sprawling outward with more and more consumer-level devices. The longer an organization delays, though, the more difficult the path forward could be.
The telltale sign of a need to focus on these areas is the recognition that you haven't already. Too many companies use a breach as an indicator—perhaps not understanding the substantial risks involved. If you are not already implementing secure coding practices, if you are not already looking for the presence of unauthorized IoT devices joining the network, you are already behind the curve. It's almost a certainty that you have devices and code that are easily compromised. The fact that you don't know for sure indicates how great the risk can be—and reveals how critical visibility, and the insights it provides, is to strategically managing and mitigating the intensifying levels of connectivity in the IoT era.
ABOUT THE CONTRIBUTOR
Brian Talbert – Director of Network and Connectivity Solutions, Alaska Airlines
Brian Talbert leads the Network and Security Engineering division of Alaska Airlines. Brian is responsible for the strategic direction and platform development that secures the infrastructure responsible for flying 33 million passengers per year to over 115 destinations. In the 20 years prior to Alaska Airlines, Brian worked for leading service providers and enterprises building solutions and organizations that drive information security technology.
CYBERSPACE: MAKING SOME SENSE OF IT ALL
Chris Inglis, Former NSA Deputy Director
Cyber. Few words enjoy more widespread use across languages and cultures. Used variously as a noun and an adjective, it conveys more meaning in five letters than the vast majority of its counterparts in any language. As a direct consequence of the varied uses of the term, many discussions involving cyber fail in the simplest goal of human communication, namely to ensure that the participants understand or mean the same things in their attempt to communicate.
To that end, this section lays out a foundation for understanding the essential elements of cyber as a literal place—hereafter referred to as cyberspace. Of note, the term cyberspace includes, but is not limited to, the sum of hardware, software, and interconnections that are collectively referred to as the Internet.
One of the most important things that the curiosity-minded pioneers of the Scientific Revolution did was to intellectually (and sometimes literally) peel apart a common thing—a leaf, a parasite, a hillside—to better understand what it was made of and how its parts were connected, trying to understand how each layer worked and helped govern the whole.
THE CASE FOR CYBERSPACE AS A DOMAIN
Various writers have argued that cyberspace is not a domain, since it is man-made and therefore lacking in the enduring and unchanging properties inherent in domains resulting from immutable laws of nature, time, and space. The case for cyberspace as a domain is found in the simple fact that, on the whole, it has unique properties that can be understood, or purposely altered, only by studying cyber as a thing in its own right. It is a center point that is the result of integrating diverse technologies and human actions, while it also serves as a resource enabling widespread collaboration and integration.
TEASING OUT THE CONSTITUENT PARTS OF CYBERSPACE
Mention the term cyberspace in any otherwise polite conversation and the mind's eye of the listener immediately conjures up a jumbled mess of technology, wires, people, and communications racing across time and space or stored in vast arrays of storage devices. The resulting rat's nest of technology, people, and procedures then offers such a complicated and undistinguished landscape that, within the context of the conversation, further use of the word cyber could mean anything, and often does. It is important, then, to tease out the constituent parts of cyberspace to describe their characteristics, their contribution to the overall effect, and their relationship to each other. This, in turn, will yield a taxonomy or roadmap that allows focused discussions about discrete aspects of cyberspace that can be considered in the context of the whole.
This section attempts to describe, in context, discrete facets of cyberspace along the following lines: Physical geography, communications pathways, controlling logic and storage, devices, and people. It's important to note that cyberspace is not actually built this way, any more than a human being grows from embryo to adult according to the taxonomy laid out in Gray's Anatomy. But the understanding of the unique characteristics of cyberspace and how it is likely to operate under various scenarios is the goal here, not a description of how to build it anew.
THE BOOKENDS: GEOGRAPHY AND PEOPLE
Like any domain, cyberspace is sandwiched between the earth that hosts it and the people who would use it. Given humankind's long experience with both (that is, geography and people), this fact is both a source of comfort and a vexation. To see why, we need only consider each in turn.
The Geography Layer
Human knowledge of geography often informs an understanding or sense of how things move from one place to another and how authorities for various activities are allocated across vast stretches of geography. What schoolchild has not memorized the axiom that the shortest distance between two points is a straight line? However comforting the thought, cyberspace is only vaguely aware of the rule, finding it inefficient to blindly route communications around the globe based solely on the physical distances involved. To wit, an email being sent from New York to San Francisco in the middle of an American workday will compete for bandwidth with the massive flows attendant to financial trades and transfers, logistical coordination among shippers and suppliers, personal communications, and even the latest YouTube craze-du-jour of cats playing pianos, and might be sent from New York to San Francisco through other countries.
Software running on the millions of computers controlling the storage devices and pathways of cyberspace constantly senses the status of various routes, sometimes sending communications around the planet on pathways that are underutilized to arrive at a destination only miles away in the shortest time possible. Not understanding the informal but influential rules that inform cyberspace routing means users may be forever surprised at the paths their communications take and where they may actually reside while being stored until the owner accesses them. In most cases, this counterintuitive phenomenon represents a user-preferred feature, in that the details of routing and storage are handled automatically without requiring the user to master and direct complex aspects of technology, communication routes, and traffic flows. But the downside is obvious for users who assume that their data is safe from prying eyes