Security vs Defence: Time to move on.

In January we participated in the FIC event in Lille. The theme of failing security emerged in a number of sessions including the panel discussion that I joined on the second day. Though the panel was entitled Cyberdefence: Towards more dynamic approach to cybersecurity - the session bounced between the concepts of counter-attack as a foundation of defence; and defence as a dynamic concept that differs from security as an approach, which was a more productive theme for the panel.

It settled on Information Security proving to be a static concept in the way it is being implemented even when considering the reality of adopting 'preventative security' and 'proactive security' which will continue to struggle over the disjoint between IT and physical security and the role of human vulnerabilities to a holistic cyber security posture; experts will be evangelising about this for years to come, while firms ignore the integrated nature of their cyber vulnerabilities. Any comprehensive approach to security requires an integrated approach to provide 'security of information' against the converged nature of the cyber threat landscape, but in most cases security will always represent a relatively passive defence posture.

So the panel considered the point that a proactive approach should lead to an active defence, and I kicked off the debate by offering a definition of what 'defence' was in contrast to security. Despite the simultaneous translation, the military members of the audience understood, while for others 'security' was a concept that encompassed all things. 

Proactive defence recognizes that a reactive 'security' posture can still lead to significant impact, and therefore active preparation is a cornerstone of security & defence [irrespective of which concept you buy into], requiring a program of awareness and preparedness-building. Unfortunately there is still little evidence of widespread awareness and appropriate preparedness. Firms are investing in IT security technology, but breeches still occur, and organisations are still vulnerable to older threats in the hands of increasingly talented and advanced attackers.

I advocated a cyber defence concept which was a fusion of pro-active security and pre-emptive defence concepts, to create a more relevant defence strategy. While pre-emptive defence is built on the assumption that active measures will anticipate current threats and are prepared to repel attacks, based on relevant threat intelligence, preparation and testing of response measures, and a ‘developed’ detection-response doctrine:

I proposed that an active defence strategy is built on the assumption that effective defence requires a pre-prepared, active plan to deter, ‘counter-act’, or engage threats as part of a specific doctrine.
We have refined an advanced cyber defence doctrine that moves beyond complex security plus incident response to provide a service concept that is unique. For more information about our advanced cyber defence services visit and view our pre-active cyber defence flyer. Alternatively contact us for a discrete briefing.
Posted: 6 February 2014 by Optimal Risk Admin | with 0 comments
Filed under: advanced, cyber, defence, defense, information, security