What constitutes good security infrastructure? Ask a member of a security vendor's sales team, and he might hand you an order book with all the boxes checked. Ask a consultant, and her solution might focus on an extended hand-holding engagement. Ask a member of a country's cybersecurity emergency response team (CERT), and he will talk about national infrastructure and public-private partnerships. The reality is that good infrastructure is the best security you can afford that reduces risk. While this may sound a bit flippant, it is steeped in reality.
International and National Infrastructure
Security becomes acute when the environment in which you operate has its own shortcomings—over which you have little control. For example, a Carnegie Mellon University graduate student in October 2013 discovered a slideshow file on the website of the China State Intellectual Property Office (SIPO), which protects intellectual property in China. The file listed the author as Tomato Garden, a website well known for providing pirated software. The important point here is that the entity charged with protecting the intellectual property of others can still have a hard time policing its own infrastructure. If the environment is not robustly organized to provide adequate protections, or if the organization is unable to close internal access to data, the likelihood of support in the event of a breach or a counterfeit product may be low.
Similarly, Internet penetration is indicative of security market maturation. Indonesia has a plethora of entrepreneurs, all vying to use the same Internet infrastructure, which at the end of 2013 had an Internet penetration rate of just 33 percent. In comparison, their neighbor, Malaysia, enjoys almost 66 percent Internet penetration, according to an October 2013 Internet Global Forum report on Indonesia Internet infrastructure and governance. The more mature the environment, the more likely security infrastructure is a top-of-mind discussion point and solution implementation. To that end, the report notes that in September 2013, the Association of Southeast Asian Nations (ASEAN), announced that a cybersecurity agreement was reached among member states to jointly develop a mechanism to combat cyberattacks, coordinate training, and share threat information. In a nutshell, they took concrete steps to improve the infrastructure and the security of the infrastructure in which companies must operate in order to maintain global competitiveness.
Security professionals will almost certainly agree that weaving security into the process as early in the product development or company evolution cycle as possible will, in the long run, save both time and expense. Those who handle security with an uncommitted "we'll get to that later" may find themselves holding onto greater risk than those who are planful. "Bolting on security," when security is an afterthought tacked on at the end of a process rather than planned and designed prior to becoming a necessity, is rarely cost efficient and almost always an incomplete exercise. You will find that those in the "bolt-on" category oftentimes view "compliant" as being synonymous with "secure," when nothing could be further from the truth. Compliance gets the door open to the market; being secure keeps your company's doors open. Security risk assessments are the CIO/CSO and CEO's best friend. They serve to highlight identified risks to the decision makers, and the company can then determine which, if any, they can close with available resources and which may be left in a vulnerable state due to resource constraints. The company can build the security infrastructure that best serves their needs and provides the most robust security intelligence in order to provide timely data to decision makers.
Many Hands Make Light Work
Collaboration and sharing of gross event data and redacted specific incident data with partners and even competitors will serve to raise the level of awareness for all concerned. Government entities at both the federal and the state level have rolled out public-private partnerships for this purpose. In addition, companies both large and small rely on certain core resources from within open-source initiatives. Using open-source technologies lowers overall product and tool developmental costs. The recent Heartbleed episode demonstrated the need for ensuring that security is built into a solution during design and development. OWASP (Open Web Application Security Project) is an example of software industry collaboration, as the OWASP has rolled out suites of testing tools that companies may use to check for vulnerability. To that end, a number of technology companies banded together in late April 2014 to support and fund open-source projects via the Core Infrastructure Initiative. Not surprisingly, the OpenSSL library will be the first global project of its kind, a clear signal of the importance of ensuring that security infrastructure is secure.