Cyber Security Philosophy

Today the demands placed upon business are unprecedented. There has never been a moment like what we are experiencing now. As digitalization coupled with the speed and flexibility that a customer centric approach requires an ever-greater reliance on our IT systems. The constant threat of diverse cyber-attacks, has also increased at an alarming rate, you can almost hear “the bad actors” saying “this is not a threat it is a promise!”  And finally, we have a global pandemic that has further shifted the way that we are working and thus introduced new risks. However all is not lost as it is not the first time that we have had to navigate stormy seas, and if we want stick with the seafaring analogy we do need a reference point that steers us clear of the rocks and into a safe harbor. At SPIE Switzerland our point of reference is our “Cyber Security Philosophy” that is the consolidation of tried and trusted technical and organizational measures, that give repeatable and verifiable results, no matter how stormy the waters.

Philosophy: The critical study of the basic principles and concepts of a particular branch of knowledge, especially with a view to improving or reconstituting them.

                                                                               – dictionary.com

The basis of our philosophy is firstly to realize that cyber security is a skill as this quote so beautifully illustrates: “The security that can be installed is not the true security. True cyber security is a skill” – Jim Burrows. Based on our years of experience and our internalization of international standards and frameworks (IEC/ISO, NIST, ITIL etc.) our skill is underpinned by these guiding principles as follows:

• Do the basics well (Monitoring, Logging, Vulnerability Management)

• Be transparent (Openness with internal and external customers)

• The five pillars of security

        1. Know-the-system (people, processes, technology)
        2. Least privilege (people-2-machine, machine-2machine)
        3. Defense in depth (employ multiple measures, FW, Zoning, IPS, ACLs,             MFA, etc.)
        4. Detection (log the sources that enable root cause analysis and rapid                response)
        5. Data Driven Risk Assessment (enhance the “gut feeling” with real                    data)