With the constantly transforming cyber landscape, intruders are always finding new ways to exploit weaknesses in organizations’ systems and applications. As a result, cyber-related incidents have become one of the top risks to businesses as they attempt to understand their cyber resilience and exposure to threats.
The role of security assurance, therefore, becomes crucial in helping organizations undertake effective cyber risk management, adhere to regulatory and legal compliance requirements, and protect against costly security breaches. Many organizations are already recognizing this shift: According to research conducted by MarketsandMarkets, the global security assurance market is expected to grow to $5.48 billion by 2023.
The security assurance function aims to provide organizations with confidence and trust in the effectiveness of their security controls through various means, such as evidence-based risk assessments, control gap analyses and security tests to help identify the risks posed to the organization. However, the ever-increasing number of security breaches and some organizations’ inability to show adherence to basic security hygiene reflect an inadequacy in our current security assurance models.
Challenges With Contemporary Security Assurance Models
Our current approaches are reactive — evidence suggests that organizations respond to most security threats after they have happened. A proactive security assurance model is a key enabler for delivering an effective operating model that encompasses the protection of people, processes and technology. One of the main obstacles to achieving robust digital security is inflexible organizational processes that hinder a proactive defense strategy.
Our models also have a short shelf life, as the threat landscape is always evolving. Internal and external audits evaluate the effectiveness of controls against threats based on risk trends and themes at the time of the exercise. Assurance models become obsolete if they are not continually monitored, assessed and updated.
Lastly, current models are static. With the explosion of cloud adoption and tactile internet on the horizon, more businesses are seeking opportunities through enabling digital technology. Agile methodologies are speeding up the delivery of digital transformation. Contemporary assurance models are failing to adapt to this iterative-incremental development and deployment paradigm.
Factors of a Successful Security Assurance Function
Think collaboration. For a security assurance function to be successful, organizations need to break down silos and enable more collaboration between key stakeholders.
First, identify, classify and prioritize business-critical assets that could have severe impacts on business strategy if exploited or accessed. Next, you’ll want to centralize controls. Organizations should manage strategic enterprise security controls centrally to have better visibility into the operational effectiveness of those controls.
Finally, maintain up-to-date security policies, standards and compliance requirements. Understand how policies, processes, standards and compliance affect the desired state of controls. These must be driven by business objectives and your organization’s specific risk appetite.
Building a Proactive and Dynamic Security Assurance Model
To adapt to modern-day challenges, it’s important that organizations reinvent and tune their security assurance operating models for speed and agility. An effective assurance model needs to find the right balance between a proactive and reactive approach in order to build a more secure organization and retain stakeholder trust. Begin with the following steps:
- Affiliate your security assurance strategy to business objectives to improve the organization’s security posture.
- Align your security assurance operating model with risk management and governance efforts to attain operational efficiency.
- Define your organization’s maturity road map for controls based on your risk appetite.
- Perform evidence-based assessments to generate trust. Evidence collection should focus on key control objectives.
- Integrate assurance into development iterations to assist with agile delivery. Align assurance processes to promote DevSecOps culture and address any security concerns at the development stage.
- Ensure security is embedded from inception. Secure by design principles are fabricated into the product delivery process. For agile development, this means ensuring security initiatives are included in sprint goals.
Companies should also conduct smarter and more balanced assurance activities to aid frequent assessments. Security assurance should be conducted in a pragmatic and proportionate way to prevent cyberattacks and breaches. This includes the following:
- Rationalize multiple cybersecurity frameworks into control objectives and prioritize objectives based on the threats to the organization to provide a more focused assessment.
- Develop a security controls catalog/checklist based on security profiles or assets. Implement a response assessment approach based on the risk appetite of your organization.
- Utilize automation tools to support in conducting security assessments where possible, such as third-party cybersecurity risk and privacy impact assessments.
- Leverage automated testing (for both in-house source code and third-party code assessments) as part of continuous integration/continuous delivery (CI/CD) pipelines to support agile development.
- Automate evidence collection by performing scenario-based security testing that is based on the MITRE ATT&CK framework. Testing should be done on key security controls to continually assess control effectiveness and provide an extra level of confidence. Ask yourself: “Does the point-in-time, evidence-based assessment withstand the real test?”
In summary, a winning digital security assurance model must help accelerate continual, evidence-based security assessments, manage cybersecurity risk effectively, prove compliance with ever-changing regulatory requirements and empower the organization to gain confidence in their security posture.
Security Consultant, IBM Security