top of page

Cyber Security. Know Thy Enemy?


Game of Defence

  • We Defend from Known Attackers

  • We Defend from Unknown Attackers

  • We Defend from both Known and Unknown Attackers

  • We just buy a Cyber tool and hope/trust they cover above....


In our world of constant Risks and Threats, the old Sun Tzu quote should resonate with us all:


“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat."


I recall nearly 20 years ago, presenting to corporate enterprises, the value of antivirus, email spam filtering and spyware/anti malware. Thinking back now, the time spent to demonstrate "proof" and "evidence" of the existence of such risks and threats and WHY it was important to DEFEND against, was like a never ending movie scene. Played on repeat. On VHS. Hitting Rewind, Pause and Play, until the screen visual started tearing... but let's hit rewind just,

One

More

Time.

The influx of Regulatory requirements in the early 2000's, forced businesses to protect Personal Identifiable Information (PII), Health, Banking, etc. SOX, HIPAA, GLBA is still ingrained in my vocab given most of the technologies deployed in Australia was from the US. So it only made sense capabilities of available cyber tools mapped to US based Compliance requirements.


Fast forward to 2023, I can't help but feel that movie is getting a remake in Operational Technology Domains. Maybe not so bad as the remake of Point Break (Yes, the original is a Classic and I am happy to debate the forgone days of real popcorn movies!) but arguably better than the remake of Dune.


2013 US CIP > 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

2018 Security of Critical Infrastructure Act > SLACIP 2022 Australia and Critical Infrastructure Risk Management Program (CIRMP)

and

UK/EU NIS2

CISA, DHA, GCHQ, ACSC and many more from the acronym soup.


Clearly, Government has, and will likely, increase and tighten Regulatory Obligations for Operational Technology Domains, until there is a high degree of confidence that Industry is better prepared to DEFEND essential service operations, from an acceptable minimal (defence) baseline.


But what happens if the Attackers, incidentally, are also increasing their TTPs (Tactics, Techniques and Procedures)?

Where do you draw your Thin Red Line as it rises up and down the Tides of Risk?


Is it really technically and commercially viable to defend against ALL the Bad Actors hiding in every dark corner of the shadows?

Or

Is a stronger Defensible position better served from an inside out viewpoint, that is, Know Thyself.


Unless you have unlimited time, budget and resources, "Amat Victoria Curam".

Sadly, the Know Thyself portion still needs a lot of work.

So let's get busy!


Comments

bottom of page