Responsibilities of a cyber security manager
The responsibilities of a cyber security manager are varied and complex.
The cyber security manager must bear in mind numerous variables when considering the security of his or her clients, as well as the security and integrity of those within his or her own organization.
The first and most important is to have an in-depth and broad understanding of the environment in which his or her client operates. This involves having an up to date knowledge of the general trends in the field of cyber security, information security and security in general. The manager has to bear in mind the interconnected nature of the information systems under their responsibility with the broader concept of security in general.
With each tactic which can be employed to maintain general security, there also comes a cost. A certain encryption method may be more secure against brute-force attacks, but may be more vulnerable to social engineering. Alternatively, the encryption algorithms may be more widely known and therefore more subject to scrutiny. This in turn can mean that the algorithm is more secure against some groups but less secure against others: the more widely known the algorithm, the more polarized the potential for security or failure it becomes.
More obscure algorithms may be less widely known, and therefore less subject to scrutiny, but as a result may be more obscure to potential attackers. This in turn can increase security, at a risk of the algorithm being less stable and less reliable.
Additional responsibilities of the cyber security manager include gathering information on his or her clients to understand the specific threats they face: knowledge is power, and with the knowledge that comes with an understanding of the threats that his or her clients face comes the power to be able to respond both proactively and retroactively.
A key element in the relationship is trust. The clients must trust the cyber security manager to have their best interests at heart, given the position of responsibility which is entrusted to them, but the cybersecurity manager must also be able to trust his or her clients: with knowledge of the tactics used by the cyber security manager also comes knowledge of his or her weaknesses, as well as their strengths.
The general security climate can be compared to a biological organism: the number of people with access to systems which can be used to make attacks has never been higher. With that situation comes a certain understanding: attacks may be a constant phenomenon in the current security climate. A key point is that understanding of those attacks can provide information about which we should be concerned about and which we shouldn’t worry about. There is a distinction to be made between serious organized attacks by knowledgeable players and opportunistic attacks by less serious players. Understanding the difference between these can make the difference between information security and information system compromise.
Using monitoring software developed with this understanding in mind, it is possible to determine which attacks we should be worried about and which we shouldn’t. From there, procedures can be developed to isolate the effects of a potential system compromised.
Cyber security is dependent on the networks of information, technology and people that it is composed of. A small stimulus to one part of the network can have wider-scale effects under certain conditions. The nodes which a network consists of maybe points of information, people, locations or a certain technology principle. Because these “nodes” are connected to others in some way (such as through relations to other technology, information which directs to another form of information, or people who know each other) a broad understanding of what the network looks like is important when trying to understand how shocks to one part of the network can affect other parts.
As an example: If we look at the social networking website Facebook, each individual person could be represented as a node on part of a wider network. The “friends” a person has could be represented as a node on the network, and the process of adding a “friend” on Facebook is the development of a link between one node and another.
If we apply that principle more broadly to phenomena outside of Facebook, we would be able to draw networks of information and social phenomena using different technologies as a medium. Alternatively, we could draw a network of technology using people and information as a medium. It all depends on the threats which your client faces.
For this reason, it is important to be able to gather information on the client in order to understand the threats that they face. We may be able to see certain nodes on a network which are highly vulnerable, or alternatively we may be able to see certain nodes which hold the rest of the network together (making them appealing targets for attackers). The main aim is to preserve the integrity of the network, but it may be desirable to allow some nodes a certain level of vulnerability if it means that we can more effectively defend another, more important node. Or we can use a certain node as a “sacrificial lamb”, to gather information about attackers which can be used to defend the rest of the network more effectively.
The overall objectives of the client are important to know when trying to understand the threats they face. The development of a new product, for example, may be something which a competitor would like to know about. If that’s the case, then we could say that the risk to the network may be higher when financial gain is involved. In addition, if we know which entities are likely to attack, then we might be able to gather information on their capabilities and develop countermeasures in return.
No security system is 100% secure. This is because whenever a piece of information must be accessed, there is the potential for attackers to manipulate the security systems which protect the information to gain access. A common method of attack is through social engineering. Social engineering is the method used to gain access to information through psychological methods or any other form of deception involving people, such as convincing a person to provide a password to a certain account.
Whilst humans tend to be fallible, computer systems are generally more secure in terms of information security. Most modern encryption methods are generally very robust when faced with typical attacks. However, without the knowledge of how systems can be compromised (all systems have weaknesses) any system can be vulnerable to attack.
Combining the elements of self-knowledge, an understanding of one’s own security systems and their vulnerabilities, and knowledge of others (both attackers and benign entities) we can draw points of contention, as well as develop means to strengthen those particular areas. This is a collaborative process: the client must be able to see the cyber security manager as an ally.
“No man is an island” is a mantra which is particularly true when it comes to cyber security. It is easy to interpret the rapidly developing internet as a massive unknown in terms of both it’s potential opportunities as well as the threats which it presents. But we must always consider that the internet is nothing without the people who control its content: those people have every facet which accompanies being a human being, including motivations, goals, emotions, fears, hopes and any other psychological phenomena. In order to understand how our security systems operate, one must also look at the people who make it work, as well as understand the people whose goals do not align with ours. To do that, we need to communicate with both internal and external opportunities and threats. It is very difficult to escape the influence of technology in our age, but with the appropriate analysis we can cultivate the areas which show promise and act to mitigate those areas which appear threatening. But all this is dependent on an understanding of the people we are interacting with.
Many of the principles which exist in modern communication networks have existed for millennia in different forms. If we take the example of written language, we can take the example of how the interpretation of written language was for many years unobtainable for many, even until the 19th century. Indeed, this still exists in many parts of the world. In the same way: understanding of modern information security systems is an area of obscurity for many, even as these mechanisms are used are used daily by many.
Technologies such as Email, instant messaging, web page interaction and even map utilization are all subject to their own particular security concerns. A key role of the cyber security professional is to be able to communicate these concerns to their clients and offers means by which the threats these technologies present can be mitigated, as well as proving insight into how the opportunities they present can be capitalized on.
Everyone has their own set of values and conditions, which in turn will guide the professional of cyber security into optimal courses of action for each instance of risk or opportunity. As a result, they need to have comprehensive knowledge of the technologies which customers use, and the contexts in which those technologies are used. These competencies are developed over time: with the myriad of software technologies available on the market, there is a need to understand that the analysis of such technologies cannot be conducted instantaneously: Computers are good for a lot of things, but people are still an essential component of most security operations. As an example; A computer can calculate PI to 50 decimal places, but the analysis of human interactions is best done by people, not computers. Since people are the driving force for new technologies (as well as the utilization of new technologies), it follows that if we can understand people, we can understand how new technologies will be used and developed.
Luckily, the internet in general is, at its core, a network made up of people. It is the people in this network that interests us, although the mechanisms by which they are linked are also of intrigue. When it is the people who are the drivers for change and adoption of new methods of operation, it follows that people should be our main priority.
Whilst we understand that no academic field can understand the full range of human experiences, emotions and knowledge, we can still create models to better help us peer, even if ever so slightly, into the perspectives of others. These perspectives are vital to gaining an understanding of potential areas of collaboration and co-operating: it’s impossible to know what your clients and competitors want without being able to put yourself in their shoes (to some extent). In the same way, understanding how a system is vulnerable involves being able to think as an attacker would: are our points of vulnerability hidden or exposed? Will they aim for central nodes which could have a domino effect on other systems? What technologies do they have at their disposal in initiating an attack? By asking these questions, we can gain an insight into the mind of an attacker, and through that the remediation process can begin.
It is said sometimes that to create peace, a person must listen to their enemy. This applies more than ever in the field of cyber security. With the advent of the internet comes many unknowns. Where is my data going? Who has access to it? Can it be used against me? People usually fear the unknown, because it taps into the primordial instinct of potential danger outside the small sphere of that which is known. But in a modern world where technology is omnipresent, it follows that we must trust, at least to some extent, those people who have power over us, until the time comes that we are able to understand what they do: that sometimes, our enemies and our allies are the same people.