Taking a threat-centric view
Too many organizations today take a control-first approach when designing their security architecture, when in fact taking a threat-centric approach will yield better results. Of course, budgets and resources can only be stretched so far, and businesses can’t possibly know what cyberthreat trends are around the corner, but what they can do is tailor their risk management approach in line with what they think an attacker is likely to target and choose appropriate risk mitigations.
It’s best not to depend on a single control or platform that seems to tick every box, but instead take an iterative approach to control development that reflects an organization’s gathered intelligence as well as its own pace of growth. This is another example of how security and business objectives can link and evolve together, which is core to the design and implementation of modern security architectures. Whether organizations are looking to protect a small online environment or safeguard a wide-spread corporate network, the same principles of learning and scaling apply.
Let’s say we’re trying to secure a house. Traditionally, you might have been content with putting a padlock on the door. If you were particularly concerned about the front door as a point of entry, you might put two, three, four or even five of the same brand padlocks on the door to make sure it was completely secure. But once a threat actor has learned to pick that lock, adding more padlocks isn’t going to help. Sure, it might slow them down, but there’s nothing materially different about the security, whether you have one padlock or ten. What defense in depth does is think more carefully about using different locks. We might have a padlock on the outside, and then one from a completely different manufacturer on the inside that’s more difficult to pick. If typical locks become easy for attackers to circumvent, we might add something more advanced like a fingerprint scanner or facial recognition software.
In other words, security controls need to evolve as a business expands, learns and fends off more attacks. Over time, the business will gather intelligence on what works, what doesn’t, where attackers are likely to strike and what methods they’re likely to use, and it can then adjust its security architecture accordingly.