All insights

Thinking About Security Before Recovery

Greg van der Gaast Greg van der Gaast
Independent Security Strategist

August 22, 2023

I’d like to take different look at storage and recovery: from a strategic security point of view.

The goal is not just to better explain the relevance of storage and recovery to current and aspiring Information Security leaders, but also to introduce some concepts around “Security as Quality,” what I call “Inherent Resilience,” and presenting a different approach to Risk Management to help practitioners move things forward. The reasons being that, in order to understand and appreciate the value of new approaches, it’s important to understand the bigger picture and how things fit together.

I hope these insights also help IT Operations teams and CIOs realise additional security potential from platforms and processes they may not have thought as relevant.

Inherent Resilience

So, what is “Inherent Resilience?” Well, it’s a term I’ve coined to define our ability to not get knocked down in the first place. In other words: not reaching the point of needing recovery.

I’ve phrased it this way because in the security field “resilience” has come to mean something closer to recovery while I think our long-term focus should be focused more on not getting breached in the first place.

And if you’re confused that a blog about storage and recovery is talking about avoiding the need to perform recovery in the first place, then hold on to your hat because we are going to discuss how to use your recovery capabilities to improve your chances of never needing to use your recovery capabilities.

But first a little background. I have 25 years of experience in information security. My first job was offered to me when I was 17 and some federal agents from the FBI and US Defence Department decided to make a house call. I won’t bore you with the details as to why, but it involved the NSA, CIA, DIA, and some nuclear weapons. I have seen hundreds of breaches and caused a few myself - once having been labelled as one of the 5 most notorious hackers in the world.

One of my biggest observations after switching sides, was why my job as the attacker was so easy, and why what most of the security industry was doing wasn’t making much harder. As a result, I’ve always had what people consider a “maverick” approach to security because I believe in doing what works, long-term, sustainably, rather than the status quo.

Over the last 15 years I’ve since built security programs for companies ranging from hot start-ups to Fortune 500’s, lectured at universities on security strategy and leadership, advised cyber-insurance companies on due diligence (hint: quality of business processes is a far better indicator of risk than the presence of security controls), and currently assist security vendors in helping their customers get more value from their offerings.

A quick note: I am not a storage and recovery expert, but I want to take you on a journey to look at our security challenges, how I’ve tackled them, and, finally, what role storage and recovery has played for me as part of that bigger picture.

I also want to add that Hitachi Vantara, has given me no further instructions on what to write other than helping the community at large. These are my thoughts and experiences, and I thank them for allowing me to share them with you.

But before we get started on how to develop successful security strategies and approaches and where storage and recovery fit in, we must look at the overall trends in our industry to see how things are going. According to various researchers and industry watchers, like Imperva, data breaches, compromised records, and the average number of records per breach all continued to spike in recent years.

And this worrying trend is happening despite ever-increasing spending on security. According to The Hindu BusinessLine global cyber security spending is expected to reach $460 billion by 2025.

In most situations, certainly at this scale and over a period now spanning well more than a decade, investment in an overall approach is expected to have an impact in reversing or reducing what it is it’s trying to combat.

Instead, many practitioners, vendors, and experts use these figures to point out how prevalent and sophisticated attackers are, and that we must therefore double down further on our investment in “cyber.”

I have instead come to see it as a rather damning indictment of just how poor our current approach is. Dozens of times I have seen companies with millions spent on security, with NIST and ISO frameworks in place, and still be absolutely trounced by a bored teenager with a laptop.

If we had an effective and sustainable approach to reducing issues, we should be seeing trends like those in mature industries where they too are fighting to reduce the number of incidents. They identify root causes no matter where they are and address them, upstream, pre-emptively.

Take the aviation sector for example, which addresses issues as far upstream as possible regardless of how distant they seem from most people’s concept of “aviation” – everything from engineering, metallurgy, corporate culture, drug use, the tone of alarm sounds, control ergonomics, human factors, etc. – to drive a reduction in possible failure points. Javier Irastorza Mediavilla is an aviation industry watcher and several years ago he tracked and calculated the ratio of aviation fatalities per trillion RPK over a period of time. According to Javier, the ratio has decreased eighty-one-fold since 1970, from 3,218 to 40 in 2019.

That is what the results of an effective approach look like.

If we found that the bolts holding the wings onto a plane’s fuselage were coming loose during flights, we wouldn’t set up a function where we employ thousands of people to retorque bolts after every flight, forever. We’d make a change to the design or manufacturing process once, then remediate what was in the field. And yet, most security work has more in common with the former than the latter.

So, what should we be doing in Information Security? It seems clear to me that a change in approach is needed. But what? And more importantly, based on what principles?

Let’s begin with some opening questions:

Have you ever considered…

  • That security vulnerabilities are defects? Whether it be in code, architecture, design, maintenance, process, or even human behaviour?
  • That, to rectify this, Security might ultimately be more effective as a business quality function?
  • Why we tend to focus on threats and protecting vulnerable applications, systems and infrastructure, rather than on changing the business processes that lead to their vulnerability in the first place?
  • If we could drive improvements to security without having to continuously (and unsustainably) increase the scale of security operations?
  • How mature industries like automotive, manufacturing, or aviation stop issues from recurring or occurring at all? And how some of approaches could be relevant to Information Security?
  • Whether Risk Management could be simpler if we calculated backwards from business downtime, rather that the innumerable arbitrary compounding variables that might lead to that downtime?
  • How storage and recovery capabilities can allow us to shift more resource towards a strategic security approach, rather than mitigation and firefighting?
  • How recovery should be implemented to ensure reliable recovery if things do go wrong?

I’ll explore these questions and what they mean to improving the security posture of our organisations in my next blog.

And be sure to check out Hitachi Vantara’s Data Protection & Cyber Resiliency story.

Greg van der Gaast

Greg van der Gaast

Greg van der Gaast started his career as a teenage hacker and undercover FBI and DoD operative but has progressed to be one of the most strategic and business-oriented voices in the industry with thought-provoking ideas often at odds with the status quo.
He is a frequent public speaker on security strategy, the author of Rethinking Security and What We Call Security, a former CISO, and currently Managing Director of Sequoia Consulting which helps organizations fix business problems so that they have fewer security ones.