The Assumed Breach conundrum

Breaches are inevitable due to the asymmetry of attacks – carpet checks versus guerilla warfare. Companies – regardless of size – have been breached. For years, security leaders have spoken about the myth of the infallible Protection doctrine and reasons for improving on detection, response, and recovery. We broached on the need for threat intelligence, advanced threat-hunting, responding through table-top exercises, and having tightly integrated SIEMs (security information and event management) and SOARs (security orchestration, automation, and response) to quickly contain breaches.

However, the Assumed Breach mindset goes beyond eroded digital perimeters – it delves deep into the supply chain of software, hardware, and services. As the attack surface grows exponentially with greater digitalisation and cloud adoption, third-party risk becomes a mounting concern – and this is where the line gets blurry.

Outsourcing means taking some responsibility off your shoulders and accepting the ensuing risks – or is it? While security leaders often speak of governance as “doing the right things right”, how can we ensure that things are actually done correctly on the ground?

The unfortunate truth of humans as the weakest link haunts every organisation because outsourced services are managed by people who may not feel as strongly as you do about your cybersecurity. In short, what’s lacking is skin in the game.

You may reach a stage where a decision has to be made – either in-source or apply more controls and oversights. But this runs counter-intuitive to the fundamental value proposition of outsourcing. This is a tough decision to make. It also raises a fundamental question: why outsource and adopt a cloud-first strategy? Were the inherent risks apparent and were the residual risks truly accepted?

Many prefer to have their cake and eat it. Some prefer answers to be in zeros and ones. But a mature culture is necessary when internalising an Assumed Breach mindset.

No matter the number of oversights, there will fundamentally be that additional residual risk that comes with outsourcing. If a vendor’s commitment is purely transactional, they have no skin in the game and there is no sense of urgency – they may do the bare minimum if their obligation lies with the service provider and not with your company.

Where does this leave cybersecurity professionals? While necessary, there is only so much to be done with third-party posturing tools and additional oversights. Unless you prefer to spend a lot more cost and effort than you actually do simply by in-sourcing, you would need a strong RACI (responsible, accountable, consulted, informed) framework and a robust risk management doctrine that everyone believes in to manage and accept a higher level of residual risk.

The success in risk optimisation and cybersecurity controls hinges first and foremost on a strong RACI framework that extends to risk acceptance, incident management, and recovery. Risk assessment has to take into account that a breach with the vendor is inevitable and the risk owner must be well-informed of such an inevitability.

With an understanding of this inevitability, always play out the assumption that your vendor is breached and focus on the ability to manage such risks. It is also important to ring-fence vendors to prevent lateral movement into your organisation, targeting your crown jewels.

Ultimately, the success of cybersecurity in this era is not the ability to prevent a breach but the ability to disrupt a breach, fending off significant impact to the organisation – and this hinges on a mature mindset in accepting inevitability of breaches above and beyond due care, ensuring clear roles and responsibilities, having a robust risk management and acceptance regime, and focusing on the ability to successfully disrupt such breaches.