Why Context Matters When Combating Cyber-Attacks

Public and private sector organisations should embrace a more nuanced and collaborative approach to cybersecurity, argues Sabeen Malik.

Many security teams hold onto the narrative that, when it comes to managing cyber-incidents, absolute transparency is critical to our collective defence. However, while taking an open approach is admirable, it is also at risk of being too simplistic.

It’s essential to recognise that not all information is equally relevant or useful in every scenario. The most important aspect of cybersecurity today should be context. Understanding the specifics — the “why”, the “how” and the “from where” — of cyber threats is critical in crafting effective responses.

The challenges of full transparency

Advocating full transparency in cybersecurity may be well-intentioned, but brings several practical challenges that can hinder rather than help an organisation’s defensive efforts. One concern is the risk of information overload.

In an environment where every data point is disclosed, distinguishing critical insights from mundane details becomes a daunting task. This deluge can obscure the actionable intelligence necessary for a timely and effective response.

“Full transparency without context is like providing a map without landmarks — it offers data, but little guidance on navigating threats.”

Additionally, the indiscriminate sharing of data can lead to mismanagement and potential vulnerabilities. Without the filter of context, sensitive information may inadvertently reach those who lack the ability to remediate, or even malicious entities, thereby exacerbating risk rather than alleviating it.

Moreover, full transparency does not consider the nuanced requirements of different organisations and industry sectors. What is vital for one may be irrelevant to another, and blanket policies can lead to inefficiencies. For instance, a small business may not have the resources to sift through vast amounts of threat data in the same way as a large enterprise or a government entity.

A lack of context can also create unnecessary confusion and panic. When stakeholders are bombarded with alerts without clear prioritisation, it can lead to “alert fatigue”. This scenario underscores the need for a strategic framework that prioritises context and collaborative filtering of information to enhance the utility and effectiveness of shared data.

The three Cs framework

Combating today’s sophisticated threats requires a nuanced approach that leverages the strengths of the private and public sectors according to three “Cs”: context, capabilities and collective action.

Context:

Context means understanding not just the data, but the narrative it tells us about attacker motivations, methods and targets.It involves distinguishing which pieces of information are relevant to crafting a strategic response and which may serve as mere distractions.

“The most important aspect of cybersecurity today should be context.”

Full transparency without context is like providing a map without landmarks — it offers data, but little guidance on navigating threats.

Capabilities:

Understanding the capabilities of an organisation is fundamental to effective cybersecurity. It’s not just about having tools; it’s about applying them wisely. For example, while the private sector may excel in rapidly aggregating data, government agencies often possess a deeper understanding of the geopolitical landscape that can influence cyber-threat origins and motivations. By assessing capabilities, we ensure that all players are utilising their strengths as well as using them in the most impactful way.

Collective Action:

Once the right context has been established and the capabilities have been assessed, organisations need to collectively synchronise efforts between various stakeholders to share insights, strategies and data points that enrich overall understanding of the cyber landscape. Here, the need for a symbiotic relationship between the private and public sectors becomes evident.

Bringining it all together

Private sector entities often possess advanced technological capabilities such as sophisticated intrusion detection systems, comprehensive threat intelligence platforms, and powerful data analytics tools. They gather vast amounts of data through their daily operations, which, when shared appropriately, can offer invaluable insights into emerging cyber-threats.

However, this data might not be fully utilised without the broader context provided by public sector intelligence. Public agencies bring a wider geopolitical and strategic understanding that can interpret private sector data within the context of national and international security threats.

For example, when a private sector firm identifies a new form of malware, government agencies can quickly communicate this information, advising other entities within the network on how to bolster their defences, thus preventing a broader security breach.

Moreover, the public sector can enable a unified response to cyber threats by setting standards and regulations that guide the collective actions of diverse organisations. This regulatory framework ensures that all parties adhere to best practices and share critical information responsibly, which is especially important in critical infrastructure sectors.

By fostering an environment where information sharing is guided by context and strategic insights, we ensure that our responses to cyber threats are both rapid and effective.