Bruce Schneier's quote is very important because it tells us WHAT is not a good idea in the world of IT Security in spite of common thinking. In fact, he says that technology in the world of IT Security comes AFTER and not BEFORE.
But “after” WHAT? And above all HOW?
Sun Tzu's quote tells us HOW.
In our days “knowing ourselves and our enemies” is called Risk Assessment (RA) the heart of the Risk Management process. The ultimate goal of RA is to understand the Vulnerabilities, to then calculate the Risk (identified in the previous figure with the block diagram at the top right).
Today we are immersed in technology and this translated means that a bewildering number of “potential” Vulnerabilities surrounds our Assets.
As I explain in my article, both the literature and the tools that deal with Risk Assessment are not at all up to the current situation. Furthermore, if the asset is completely immersed in the digital world, this is not good news for large organizations due to the high number of vulnerabilities to which they are inevitably exposed. Last, but not least, is the general lack of awareness of the deep and complex world of Risk Assessment.
The most damning proof that the situation described above is not a slogan but is real can be demonstrated by carefully reading the frightening figure of economic losses expected for 2021 in the IT Security sector, something around 6 trillion dollars. This value is too high. It is proof that something in our approach to the world of IT Security is deeply wrong.
There is no doubt that some cyber-attacks are very difficult to stop, given the degree of sophistication achieved by some groups of cybercriminals. However, this is a very small percentage.
The bulk of the losses come from little knowledge of our T-V-A triads tree to defend.
Today, companies believe that by using technology they are able to resist attacks by cybercriminals, but Bruce Schneier's phrase leaves little room for the world of hope.
The solution is there and still remains the one proposed by Sun Tzu more than 2500 years ago.
It is no coincidence that the Security Strategy begins with the Risk Assessment. The Security Strategy must then germinate within an IT Security Architecture born to be capillary, scalable, and extremely powerful (such as Architecture Level 3).
It is time for companies to equip themselves with a Digital Skin.
