What cybersecurity can learn from health and wellness
The current cyberthreat landscape can feel like a dark cloud hanging over the head of every organization, the same way Covid loomed over us for so long. But just as advances in health have offered light at the end of the tunnel for the pandemic, new approaches to cyber wellness can help us stay healthy and secure in the digital realm.
By taking proactive measures to ward off digital diseases like ransomware, and fighting off any infections that do occur through individually tailored therapies and treatments, we can go about our business with confidence, feeling and performing our best.
Adopting a wellness program for cyber health maintenance
Organizations often think of cybersecurity as a necessary evil -- something to be endured and tolerated with gritted teeth. For years, security has been the department of "no".
On the other hand, being physically fit is its own reward: when you take the right kind of care of yourself, you can go about the activities of daily life feeling ready to take on the world. That’s the kind of experience we should strive for in our approach to cybersecurity as well. By helping people see security as an enabler, not a blocker, we can achieve greater buy-in and collaboration to get the whole organization on board.
So, what does a modern cyber health and wellness program look like? Let’s start with what it isn’t: a one-size-fits-all script of exercise and nutrition that’s supposed to deliver the same benefits for anyone who follows it. Wellness doesn’t work that way in the physical world, and it doesn’t work that way in the digital world either.
For people, any health maintenance program must begin with a full understanding of our bodies -- our genetic makeup, current conditioning, lifestyle, any chronic illnesses we may suffer, and so on. This knowledge helps us address our most critical needs first -- and that differs from person to person. One individual might need to reduce their sodium intake, take a statin, start insulin, or increase aerobic exercise; for another, the right fitness routine might incorporate Pilates, a low-carb diet, and a focus on sleep hygiene.
Similarly, cyber health maintenance begins with an understanding of our organization’s digital makeup. What are the foundational assets that make up our business operations, including our applications, devices, users, and permissions? What are the complex interconnections that define their relationships? How and where are they exposed to the internet, and how is access granted and controlled? What are the pathways that a cyberattack might use to enter and move throughout the unique digital environment that powers the business?
This digital DNA is just as unique as the genetic DNA within our cells, and it offers the same promise for enhancing and optimizing our health and wellness. By approaching security on a granular, data-driven level -- as engineers, not just analysts or compliance officers -- we can ensure that our cybersecurity strategy is addressing the right things, in the right way, to reduce our risk of infection.
Of course, there are some digital wellness measures that do have universal value for organizations of any type -- fundamental security procedures such as tabletop exercises, penetration testing, and security training. But they need to be complemented by practices and treatments tailored to the assets and relationships that make up our digital environment, as well as our business operations and processes, rules, and exceptions.
Treating causes -- not symptoms
In recent years, the field of cancer treatment has been transformed through research into the human genome. By sequencing our DNA, we can go beyond brute-force, scorched-earth tactics like chemotherapy to develop new genetic treatments that truly heal the root cause of the disease. By the same token, a DNA-level understanding of our digital environment can help us respond effectively to any attacks that do penetrate our defenses, as some inevitably will.
While medical professionals seek to understand the nature of an ailment before prescribing treatment, cybersecurity too often addresses symptoms rather than zeroing in on the underlying cause of the breach. They race to restore data from backups and repair damaged systems without focusing on the gaps and pathways exploited by the infection in the first place, whether a flawed approach to identity and access management, inadequate vulnerability management, a lack of visibility into assets and relationships across the environment, or all of these and more. Addressing the impact of a cyberattack without also addressing its cause is like taking painkillers to stop an ache -- temporarily -- without discovering the cancer behind it.
Every cyberattack works differently to steal user credentials or gain access through a new attack path. Like a virus entering the body, the initial attack landing finds a way to hook into the cells of the organization, such as through cross-account access in AWS or a phishing email, then works its way deeper to target vital resources. By understanding the specific pathway the illness has taken, we can take targeted measures to prevent a recurrence. In the meantime, the same information will help us prevent the impact of the current case, stopping its spread before it can reach the digital heart, brain, or other vital organs of the business.
Moving forward together
This is not a one-way street. For this to work, we need security teams to focus on understanding the business and operations, provide easy-to-adopt and usable security controls, and solve the pain at its root. At the same time, we need the rest of the business to support and embrace security as a core value. It’s not just the engine but also the brakes that enable speed in a formula-1 race.
If your doctor never takes your vital signs or orders a lab report, you’re probably seeing the wrong practitioner. Similarly, if your trainer isn’t personalizing your program to your needs and lifestyle, you’re unlikely to get the results you’re looking for -- or even stick with it very long. Conversely, if both take the time to truly understand your body, then tailor their response accordingly, you’ll gain the trust needed for a successful collaboration. That’s the kind of mindset organizations need now, from the board and C-suite to individual engineers and contributors. Security is a goal we all share. When we take a deeply informed, DNA-level approach to our digital health and wellness, we can move forward with confidence to make our business the best it can be.
Erkang Zheng is Chief Executive Officer, JupiterOne