If you're responsible for protecting your company’s Intellectual Property or Trade Secrets from Cyberattacks, you can improve your Information Security Program by understanding some of the key Strategic givens I've found at my Fortune 500 clients on Nation-State Adversaries.
I assist companies and organizations that are dealing with known compromises or companies that suspect they have been compromised. These compromises are increasingly driven by Nation-State Adversaries and often include companies that have physically deployed their high value company assets directly into “hostile” regions by either moving or outsourcing their manufacturing, research, or other core business functions.
Here are some of the Strategic givens I’ve identified:
1) Operating facilities abroad in "hostile" regions where intellectual property rights are weak or nonexistent should be viewed by the CISO as the World Cup or Finals. Organization’s should not be learning or building new security capabilities such as high value information asset identification, incident management, DLP or network monitoring for the first time simply when a company decides to deploy company assets and capabilities abroad. It is tough work protecting Intellectual Property and Trade Secrets. Your playbook and team should have already been practicing and running plays before the Finals. Where are you currently on implementing a comprehensive Information Security Management System?
2) Most Boards of Directors consider taking risks with intellectual property or trade secrets acceptable, especially in light of driving increased revenue in emerging markets. Business Leaders, like it or not, simply do not weigh the loss the breach or loss of intellectual property as heavily as you might think. It is a risk/reward calculation for the Board as it should be.
3) More than ever, Information Security practitioners should follow the mantra that many of us have espoused for years, that Information Security is not just about Technology. Security Strategies across People, Process, and Technology are required in breadth and depth to protect your company’s high value information assets from worthy Nation-State Adversaries.
4) Oversight of 3rd Parties especially if they are based locally in a “hostile” region, will likely be a company's weakest link in Information Security. If a company has not over engineered oversight expectations/rights, contractual expectations for information controls, and external monitoring capabilities, it's likely already significantly compromised. CISOs: Were you or your organization involved in the building or inspection of any plantsite facilities that your company uses in "hostile" regions? Think about when and how the very basic elements of your company's plantsite were built, such as:
- Racks & Physical Structure
- Security & Fire Protection
- Management Systems
If you weren't involved in the building or inspection prior to use of these, you should reasonably expect that your company's operation has been compromised or can be easily compromised.
As a Information Security practitioner, you have a great opportunity to implement measures to minimize your information risks if you are able to proactively incorporate control expectations into your service provider contracts. If your service provider's contracts are already in place, seek to renegotiate those now or upon renewal.
5) As Information Security leaders, we should acknowledge and operate in large part like our Board of Directors. We should accept that taking real risks with Intellectual Property and Trade Secrets is readily acceptable and it is merely a cost of doing business. It is unlikely that your senior business leadership will formally acknowledge this simply due to potential personal liability, so don’t look for a declaration. Look at decision making and trade-offs as indicators on the organization's willingness to assume risks with their information assets.
6) Organizations should learn to live in a constant state of compromise:
- Determined Nation-State adversaries can always find exploits
- Organizations should operate like they have already been breached
- Identifying your high value information assets, where they reside, and how they are used and what controls are necessary is essential.
7) Industries driven by producing and leveraging Innovative and Patent Protected Intellectual Property or Trade Secrets, such as: Pharmaceutical, Chemistry, Life Science, SCADA, high-tech manufacturing, or industrial manufacturing -- are already in the Finals. Nation-State Adversaries no longer need or in fact, particularly care whether a company has physically entered their market place or country. They are equally adept at conducting highly sophisticated network based operations as well as human intelligence (HUMINT) operations through human agents that have likely been hired by your company over the past two decades. HUMINT capabilities are one of the many reasons why our strategies as Information Security practitioners need to include People, Process, and Technology efforts. Some of the more well known IP thefts have occurred by employees simply walking out the door with IP on paper or simple storage devices. I have on more than one occasion had to retrieve files and external storage devices of "high value" exiting employees...
I hope you find these observations beneficial. Seeing and learning these consistently over time at my clients, has helped me better understand how to improve the design and deployment of effective Information Security Programs.
I'll provide additional details in the future, by exploring elements of these strategic givens. In the meantime, I welcome your comments.