Master the defense in depth

The failure of Operation Zitadelle, which took place during the Second World War, taught the Germans a hard lesson about the Soviet understanding of defense in depth. The German armored spearheads never managed to breakthrough into the strategic depths, but got bogged down into the layered Soviet defense system, which eventually led to calling off the German offensive, and Soviet victory.

The events that took place more than 70 years ago can still be utilized as a reminder of the importance of layered defenses, or defense in depth. Like we wrote in our previous cyber related blog post, technology plays a major role in preparing your organization’s cyber defenses. Layered technical defenses begin from the sensor systems placed outside of the digital walls of your organization and continue in layers all the way to the devices and applications that your people use daily in order to reach their work-related goals.

Previously we underlined the importance of ensuring that you have set your focus in protecting your information assets from the attacks. This does not negate the importance of the secure technology layer, but instead ensures that the need to secure the information assets drives the cybersecurity improvement initiatives. This time we want to underline the importance of defense in depth by taking into account the organization’s total commitment to cybersecurity throughout the organizational layers. We also highlight the importance to understand the time bound nature of cybersecurity improving actions.

It is our view that in order for the cybersecurity improving initiatives to have any real significance, the commitment to the initiatives needs to penetrate all the layers of the organization from the C-suite all the way to the shop floor. Organization’s leaders are in the position, where they can acknowledge the improved cybersecurity to be within the strategic goals of the organization. In addition to the strategic commitment, they can also commit resources and become powerful sponsors for the programs. While strategic goals guide the actions and resources fuel them, the people will realize the actions and they can only do it, if they are empowered with awareness and the process flows support this increased awareness.

Together with the organizational depth, it is in our opinion important that there is an understanding of how various improvement actions are positioned in time dimension. In a short time frame, it is a high priority to ensure that there are those technical layers of defense in place defending both your systems with vulnerabilities, but also your unprepared people. In a longer term, it is important to ensure that instead of fixing the symptoms, your focus turns towards fixing the real issues behind the symptoms.

Regarding the fixing the issues hiding behind the symptoms, we already mentioned increasing the awareness among the people and ensuring that the processes have security integrated into them not as an add-on, but as an inseparable, integral part. In a longer term it is also important to ensure that whenever there is a change in your organization’s technical architecture, it will be looked and evaluated through cybersecurity lens in addition to people and processes lenses. For example, it should be a normal practice to demand service or system providers to take into account security aspects, such as automated software testing against known sources for vulnerabilities, as part of their delivery. This would ensure that anything new that gets added or implemented would become more secure in comparison to the previous generations of technology.

Defense in depth is digging the anti-tank ditches and raising the layers of defensive technologies, but it is also having a solid strategy, committed leadership, dedicated resources, prepared people, and a long-term plan in place to tackle the problem both now and in future.