Read Next

Strategist Dictum 1: Do Things For Reasons

Strategist Dictum 1: Do things for reasons.

So, what is this is absurd strategist nonsense I'm always going on about?

Good question.

Reflecting today on the nature of the world, I believe I have come to the core tenet of strategy. The one from which all other tenets flow, the quintessential, alpha-omega principle of strategy, which is -

Do things for reasons.


On Neil Fisher's Security Blog


Many of you, like me, will be aware of the online conference organisation TED (Technology, Education and Design). The conferences are first class, easily digestible and a couple of years ago featured a journalist – Misha Glenny – who was speaking about cyber crime and how law enforcement and especially organisations online are fairly “useless”, in his opinion, at stopping it or preventing it.

I recently had cause to revisit his talk. Mr Glenny, it will come as no surprise, was subliminally promoting his book Dark Market (available on line and in all good book shops!) which is a particularly good read but is, I would say, unrepresentative of the broad expanse of cyber crime and hacking. He starts his TED show with Anonymous and finishes it with a plea for the hacker, many apparently who suffer from the common hacker affliction of autism (!), that they should be employed by the “useless” corporations he describes in his book if those organisations want to be safe from constant online attack. Hire a Hacker seems to be what he is saying, reminiscent of UK’s Prime Minister’s suggested answer to social unrest; Hug a Hoodie. I’m afraid hackers get little sympathy from me, autistic or otherwise. His analysis, sadly, over-simplifies a more complex cyber landscape.

But Mr Glenny does make some apt and pertinent points which are worth taking note of. For instance he divides the corporate world into two: organisations that know they have been hacked and those corporations who do not. I was minded, when I heard this, of the speech made a couple of years ago where it was said that – and I paraphrase – if you are an organisation that has dependencies online then you have been intruded electronically whether you know it or not. Let me say that again: if you are a business and online (if you are a business and not online you are not in business) then you have been intruded electronically whether you know it or not, whether you are large or small. The intrusion is rarely an act of technical brilliance by a hacker, more likely a result of social engineering where someone in your organisation (targeted through a social media profile) gives away key information, such as logon details. And these intruders are not loners with autism, but organised crime seeking information of value be that intellectual property or credit card details or bank account numbers. And they won’t just break in and leave (why would they, you don’t know they are there), they will remain there, siphoning off information at a rate that goes unnoticed by firewalls and intruder detection software or manipulating operational processes to allow them to conduct crime through your business. Why? Because information has value that can be sold on to those who want it or that can be manipulated to further large scale criminal aims. Information is the new currency in crime. Let me also corrupt my own quote above: if you think you are a serious and organised criminal and not yet online, then you are just a petty crook.

The Head of GCHQ – Iain Lobban – due to retire this year, has said that good practice will protect against about 80% of the attacks. The remaining 20% are highly sophisticated with a variety of very specific targets. They will exploit unknown (to everyone else) vulnerabilities in software (known as Zero Day) and it needs more than just conventional protective measures to stop them. Hence, today, organisations need to be much more aware of several features of their business: their online dependency (it will change at a tempo that will both surprise and bewilder the CEO); the value of the information they use and consider their own (hands up if you have done an information valuation exercise as a business) and how well it is protected (is it encrypted for instance); the flow of information around, in and out of the organisation (especially out); who works for the organisation (in a way that they can be comprehensively authenticated both in the real world – coming in to the building – and in the logical world – logging on) and the forensic preparedness for the inevitable incident that will occur but that best practice measures will mitigate and help the business recover from. And if you are dynamically protected in this way and your competition isn’t, guess who the market is going to do business with?

Rendering New Theme...