How to Build an Adaptive Security Culture


By Bruce Cowper, SecTor

If you don’t adapt, you don’t survive. It’s a principle that runs throughout nature and business – and it’s just as true in cybersecurity.  Security teams need to be as adaptable in their technological environments as animals are in their natural ones. Often, though, security practitioners are rigid, slow moving and unresponsive.

Things have to change. It’s time for an adaptive approach to security. This is especially true now. Since the early 2000s, cybersecurity threats have been accelerating.

In 2000, US-CERT logged 21,756 cyberattacks. The biggest causes of such incidents at the time? Denial of service attacks, BIND domain name system software vulnerabilities and the LoveLetter worm. The first botnet had only surfaced a year before, and Windows XP wouldn’t ship until a year later. Social media didn’t exist. 

Today’s threats have expanded in number. In 2009, PwC recognized 3.4 million cyber incidents. Last year, that number hit 42.8 million, representing a 66 percent CAGR over five years.

They have also deepened in complexity and type. Cybercrime is a commercial operation. Zeus malware is being repurposed to attack specific vertical markets. Exploit kits are available off the shelf, and even mainstream websites can be made malicious.

Cyberattackers always look for the next advantage, which typically involves exploiting new technologies. Because innovation is systematic in the technology sector, they have plenty of feedstock.

You don’t fight a multi-headed, fast-moving enemy by freezing. You adopt a culture of adaptability, able to bend and flow, and counter new kinds of attack as they emerge. As Bruce Lee so famously put it: "become like water."

This culture of adaptive security breaks down into three parts, which map broadly to the three phases of a cyber-incident: before, during and post-attack.

Not so Rigid Risk Management

The first and preventative part of this strategy focuses on risk management. Many risk management teams take a rigid and overly structured approach.

One common mistake is to focus on security product features. Relying on a security appliance to cover all of your bases may seem like an easy win, but you may find that the security capabilities of those solutions don’t match the needs of your organization.

These needs are changing as the technology changes. Ten years ago, departmental managers wouldn’t have had recourse to cloud-based applications such as analytics and CRM. Now they may well spend their own budget on those services.

These technologies dissolve the traditional perimeter-based security model, creating new threat vectors. Risk management and security infrastructure design must be fluid enough to absorb them, which means that cybersecurity teams must be willing to mold their perceptions around them.

Make No Assumptions

The second part of an adaptive security strategy looks at how the organization acts when an attack is underway. The first rule is to admit your own vulnerability; assume you will be breached at some point. Acknowledge that even the best risk management won’t make you invincible.

Avoid making assumptions that will blind you to potential threats during this phase. Your cybersecurity team may have tailored a response to specific threats, assuming that they are the most likely. If you ignore those threats that you never thought would occur, you may be caught unawares and end up taking longer to resolve an attack.

Blindness can manifest itself in other ways, too, particularly when looking at how you respond to an attack across different components of your technology architecture. Many systems directly affect many others. If your Active Directory system is compromised, for example, that may touch other systems such as human resource applications, access control layer or collaboration software. Your response team must be able to explore these systems as quickly as an attacker does.

That can be challenging, because companies tend to create organizational silos around these systems that can stop response teams thinking laterally about them. Sometimes, different teams can even be dedicated to specific parts of the technology infrastructure, which can restrict cross-system visibility.

Update Your Response and Test

Finally, there’s the post-attack phase. This is where your team gets to plug the hole that an attacker exploited. This is where an adaptive security strategy comes into its own. Running a post-incident review is one part of this process. Security teams can then secure the hole that was exploited and also look for similar vulnerabilities elsewhere in the infrastructure.

The other part of the process is updating the risk management process and the response "playbook" with information gleaned from the attack, so that your company’s security is hardened and the response team better equipped to cope next time.

It’s also important for organizations to test themselves once fixes have been applied, to prove that they have adapted. A "war games" approach can be useful here, with hired attackers specifically setting out to gain access via the same attack vector.

Doing all of these things will help companies close the circle by feeding positive information back into the security process. This is where an adaptive security architecture comes into its own.

Building Security into Organizational Culture

These pointers will help you build more operational and tactical adaptability into your cybersecurity operation. These are great for short-to mid-term challenges, but there are longer-term, more strategic lessons to be learned here, too. Security threats will morph just as dramatically as technology does. How can you adapt to these changes?

Explore the extent to which security is built into your organizational culture, rather than merely being bolted on. This includes appointing security staff at a strategic, managerial level and driving secure processes (such as secure software development and secure procurement) throughout the company. Engaging employees properly and systematically with user security awareness training that actually works is also a crucial part of the equation. After all, companies aren’t just collections of processes; they’re also built from people.

All the technologies that underpin those processes, and which are used by those people, are going to change even more dramatically in the next few years than they did the last few. Mobility, cloud computing, the Internet of Things and the digital supply chain are going to evolve and work together, in unison. It’s all speeding up, which means that your cybersecurity practice will need Bruce Lee-like skills. Are you ready to become like water?

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), which runs Oct. 20-21, 2015. For more information and to sign up for educational sessions about techniques spanning the management and technology aspects of cybersecurity, visit and follow @SecTorCa on Twitter.