April 13, 2010, 5:01 PM — The focus on security has shifted from network security to enterprise information protection, where the main point is simple: data is the focus for both the offense and the defense, and the cost of defense grows more quickly than the cost of offense.
This imbalance is not going away, and as a planning input it is dominating regardless of whether you are on the one side or the other. As the cyber world is a world of interconnections, a defensive failure outside of your view or scope may propagate to you. The most skilled opponents rely on such propagation, and they are persistent, their technology is advanced and the result is threatening.
That adds up to an advanced persistent threat (APT). While appropriate, the APT term -- which has its root in the military sector -- is messy because in the fall and winter of 2009 APT in one form or another began to show up in various marketing efforts, which watered it down. Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute.
Note that we use the word "and" in that definition. If the so-called APT is to be sufficiently different to be a separate species of cybercrime, it has to have the collection of all three difficulties. APT is to typical cybercrime as an elephant gun is to an ordinary rifle -- a matter of degree, but an important matter of degree. Not everyone who is a possible target is worth the expenditure of work by the attacker or the implicit exposure of closely held attack tools.
An aspect of sane risk management is to not invest more in protection than an asset is worth. This goes for car insurance, door locks and access control. It goes for many things, and its counterpoint for the offensive side is to not bother using arbitrarily powerful tools when the data can be gotten with simple throwaway tools.
In that sense, offense and defense calibrate each other, and if an APT is in play inside some enterprise, it is because the value of the data there warrants the risk and investment by the offense. The defense has to calibrate its defensive effort by the data's value as well, but the strategic asymmetry enjoyed by the offense means that as data value rises, a greater share of the total effort has to be expended by the defensive side.
It is natural for CIOs and other leaders to know something about this threat, but to have every incentive to provide the least expensive fix to the most present danger -- least expensive measured not only in coin, but also in process.
Given that the offense has the advantage of no legacy drag, the offense's ability to insert innovation into its product mix is unconstrained. By contrast, the CIO who does the least that can be gotten away with only increases the frequency of having to do something, not the net total work deficit pending.