Blog post -

Spotlight on cyber security as a science

Ollie Whitehouse, global CTO at NCC Group

When you consider the history of cyber security – which stretches back to around 60 years – it’s perhaps not surprising that it’s not yet widely seen as a science. While it is ubiquitous in our everyday lives, today’s cyber security practices remain at the same stage of maturity as medical practices were in the early Middle Ages.

In 2019, we explored an evidence-based approach to cyber resilience and how a such approaches are emerging. Two years later, we’re seeing further traction in the cyber security community – here, as part of our Spotlight on... series, we share some thoughts on what’s needed to establish cyber security as a science.

Putting research into practice

As the capabilities and understanding of the global cyber security community expand – in line with the sophistication of techniques employed by threat actors – we will see a more evidence-based approach to cyber resilience. This more rigorous approach will be driven by various factors spanning governments, academia, insurers and the end-user buying community looking to understand return-on-investment.

In practice, this will mean a move away from solely vendor attestation as to solution efficacy. Instead, we will transition to a world where evidence is provided of efficacy in real-world operating conditions, against realistic threat scenarios and the associated costs, caveats and similar considerations.

For example, in the wake of the WannaCry and NotPetya attacks, many of our clients were concerned about the impact of such large-scale attacks. One CEO asked us what would happen if their company was hit by NotPetya – so our team sought to find out.

By launching a re-engineered and augmented NotPetya into their environment over the course of eight months and measuring the organisation’s resilience and response capabilities, we were able to quantify the potential impact and show in the real-world what worked and what did not. Being able to accurately measure the effectiveness of different strategies is crucial to the future evidence-based world.


What does the future hold?

With increasingly sophisticated environments, continuous integration pipelines and design experiments, the cyber security industry’s ability to deliver evidence-based advice will only grow. Measurement is key, and with these tools and models of working in place, organisations will be able to understand which solutions are working well and make any improvements on a continuous basis.

When armed with this knowledge, businesses can not only increase their own resilience, but make better strategic decisions. A threat intelligence-informed approach – particularly when it’s tailored to an individual organisation – ultimately empowers business leaders to understand their unique threat profile and make better decisions to remain secure amidst a changing threat landscape.

Topics

  • Consulting

Categories

  • insights & viewpoints
  • securing our connected future

Contacts

Related content

  • Insight: Florida city’s water supply attack

    Last week officials in a Florida City said that hackers had accessed its water supply and upped sodium hydroxide levels to extremely dangerous levels. NCC Group’s Damon Small and Jim McKenney take us through what happened and share recommendations on what organisations can do to help prevent such attacks.

  • Integrated Review: the UK’s future as a cyber power

    The UK government has released its Integrated Review of Security, Defence, Development and Foreign Policy, which sets out a framework for policy in the coming years that will help shape the nation’s position on the global stage. Our global CTO, Ollie Whitehouse reacts to this news.

  • Ransoms and beyond

    As attackers take advantage of the recent rapid digital transformation and move to remote working, Managing Security Consultant, Kenneth Yu, takes a look at some of the most commonly exploited services for ransomware attacks.

  • So you want to work in cyber security?

    There are many different types of jobs in cyber security. In this blog, Sourya Biswas, Technical Director here at NCC Group, gives some pointers for the different areas people may want to consider when thinking of a career in cyber security.