Does my company have a sound cyber security strategy?

• A good IT security strategy needs to be in line with the corporate business strategy and geared towards actual security problems.
• Transparent supply chains can reinforce trust in vendors and products.
• Excessive complexity is the enemy of security.

Since overseeing digital projects in government ministries in the German state of Hesse, Dr André Kudra has been well versed in strategic thinking and action. It was at this time that he completed his doctoral thesis with the fitting title “Resistance against IT-based change in the German public sector”. He now works on IT security strategies for TeleTrusT, the IT Security Association Germany, and other organisations.

Mr Kudra, how did a degree in business administration take you into the IT security segment?

I have always been passionate about IT and so I also chose to specialise in business information systems when I did my degree. I was particularly interested in e-government, which ultimately took me to the Ministry of Finance in Hesse as advisor to the state secretary, Hesse’s “CIO”. After completing my doctorate I got the opportunity to work on a security project in the private sector. After the turn of the millennium, banks had to struggle with new regulations and identity management was becoming a major issue. I then reached the point where I had acquired enough experience as a freelance professional and joined IT consultancy esatus as CIO. This also led to my active involvement at TeleTrusT, where I head two committees, the Blockchain working group and the Secure Platform task force.

What do you consider to be the most important hallmarks of a good security strategy?

An appropriate security strategy always has to be geared to the risks that the company has identified. It also needs to be aligned to the actual security problems that could impair the company’s operations. A good strategy must have a goal and also needs to be a good fit with the company’s business strategy. If my potential threat is state-sponsored cyber- attacks, it must be understood that the energy I invest in my protection effort will never match what the aggressors can muster to carry out their attacks. So I have to draw a line somewhere: What is strategically feasible for me and what isn’t? On no account should the question of strategy be offloaded to the IT department. Although IT has to implement it subsequently, developing the strategy is a job for management.

How can a company identify whether its own strategy has deficiencies?

In theory that’s an issue where you would apply strategic benchmarking. But that’s not easy to implement. Generally, therefore, the approach is to be guided by best practices and also compare yourself with your competitors. If you look at how similar companies tackle this issue it is easier to determine what you perhaps still need to cover. Often, a company’s dependence on its data is not sufficiently acknowledged. In this respect large companies are in a better position due to regulatory requirements, whereas that is not always the case at smaller companies. Nevertheless, the General Data Protection Regulation (GDPR) was a wake-up call for a lot of companies. If necessary, you call in a consultant for this task.

What core requirements do companies need to take into account when developing a security strategy in order to get a suitable result?

The management needs to make appropriate resources available. It also needs to engage with the subject matter and schedule time for this. In addition, the main stakeholders should be involved. Otherwise, it might turn out afterwards that the concept you have developed does not suit the company. It is often the case that the fate of a strategy is to end up as a policy document at the back of a drawer. Implementation measures also need to be considered and should be agreed on in consultation with all stakeholders, otherwise the implementation can readily fail. The execution of the strategy calls for separate financial resources and that also needs to be taken into account.

A new strategy often results in changes that meet with resistance. If you prepare for this it is easier to then deal with the anxieties of the workforce. The company also needs to be equal to the changes, i.e. there must be a clear understanding about what can actually be achieved at all.

What are the typical difficulties when implementing an IT security strategy?

Choosing suitable products is something that companies often find massively overwhelming. In this case you first of all need to know exactly what the problem is so you can select a suitable product to deal with it. Market knowledge is also necessary to compare products and identify differences. At TeleTrusT we have been looking into this problem for a long time. The association issues the trust mark “IT Security made in Germany” (ITSMIG) to interested members. It incorporates significant voluntary commitments, e.g. that products may not have any backdoors.

Naturally, you can also work with a consultant on this, but you will again have the problem of choice, because it’s not easy to find a good consultant. They need to know the industry well and should perhaps already have done the same thing at a similar company. Recommendations are very important, because after all, IT security is ultimately is a matter of trust.

Are there problem areas that are often overlooked when designing security strategies?

Strategic considerations generally do not take account of where the purchased technologies originate from. The corona pandemic is putting supply chain dependencies clearly under the spotlight. And there’s also a lesson here for IT technologies, because companies generally buy security products that are developed in the USA and manufactured in the Far East. Security technology often comes from sources whose trustworthiness cannot be so readily assessed. And this is not just about security flaws; the technology used also needs to be secure in respect of availability. Trust requires transparency in the supply chain. This can be particularly critical for strategically important components in areas like Cloud of 5G, for example. One of a company’s strategic goals might be to only use products from the EU and/or to not store data on servers outside the EU. TeleTrusT has produced a position statement on this issue under the heading “Digital Sovereignty”.

Another neglected aspect is the increasing complexity of products. Thanks to technological combinations we have a lot of options for creating new solutions, but complexity is the enemy of security. Smartphones for example contain a huge amount of program code, because they incorporate a lot of software libraries. Some of these, however, are not even necessary for the functions to be performed, but may nevertheless harbour security problems. When I build unnecessary complexity into systems I have a greater potential attack surface. Reducing the complexity is a way of reducing this attack surface.

Author: Uwe Sievers