What does good cyber security design look like?

Andrew Wall | 17 Aug 2016 | Comments

Andy Wall shares his thoughts on what good and bad cyber security design looks like.

Business operations, and the technology that supports it, are increasing in complexity. Securing these operations is becoming more difficult, in no small part due to the continuing demand to create more modern, efficient and effective infrastructure.

What we therefore need is better design. Design that is undertaken up front and early in the process. We believe that existing industry approaches only go so far. As an organisation that designs and engineers some of the most complex infrastructure on the planet, we have some views on securing this – the security design challenge.

Technology and security professionals are used to designing technical approaches by using shapes on network maps and schematics - typically detailing many layers, boxes and connections. We adopt a different approach. Although we start with an idea and develop it into a detailed set of requirements, our approach is based on a different form, one which can address diverse levels of analysis, encompass an organisations strategy and objectives, and focus on the people, process and technology required to realise those objectives.

A fundamental aspect to this approach is our belief that security is probably misunderstood in many organisations. To us it is a process and not a product. It should exist to protect assets of value, meaning that it is a relative concept, it has no intrinsic meaning outside the asset view. As an asset changes then so does the security around it based on organisational risk approaches.

If security design is so important what can hinder it? In our experience the key elements are:

  • A misunderstanding of the threat as a fixed ‘thing’ when it has many components – sources, agents, motivation, capability, resources – any of which can change at any time.
  • Too much focus on technology that sits in organisational silos as the single solution to cyber. This inevitably leads to people and processes being overlooked, especially when most cyber incidents involve human error.
  • Little common language across organisations. Despite the fact that ‘security is everyone's responsibility’, every industry, sector and technology is different. Just think of the same and different needs of Information Technology and Operational Technology.
  • Cyber is borderless. It does not matter what country, organisational or functional boundaries exist, so security governance needs to span across these areas to avoid gaps in security posture.
  • We have an unbalanced workforce. Yes there is a cyber skills shortage, but it’s worse than that: the workforce is dominated by IT, yet we needs skills from across a business to provide for effective cyber e.g. business change, process analyst, human factors specialist; it’s not all about technology.
  • Over time the business and countermeasures lag behind technology and the threat. With this in mind we must ask ourselves ‘is this a battle we can win?’ This means organisations should decide what risk they are willing to accept.




So what does ‘good’ look like? Security needs to be built in at every stage of engineering design and fully aligned to business requirements. It is therefore about:

  • Understanding the business goals and objectives
  • Determining the assets and their criticality to the business
  • Understanding the threats, risks and opportunities related to the business operations and assets
  • Developing the strategies, processes, mechanisms, standards and tools that will underpin the goals and risks
  • Developing the governance, management, roles and responsibilities that will underpin the processes and mechanisms
  • Understanding the geographies, sites, business units and infrastructure where security needs to be implemented
  • Understanding the business time aspects, calendars, processing schedules and sequences.

This approach provides traceability from the business to the security requirements so that security controls exist to serve a specific business purpose.

Design though is not a one-off activity. We can’t pat ourselves on the back and walk away happy once it’s delivered. Technology evolves, threats adapt and business needs change. Our designs need to evolve with this and security needs to be lived and operated – it should be the oil in the cogs of your machine.