The principle of security by design suggests that security needs to be aligned with business objectives. But what, exactly, does that mean and where should security professionals start? Below are some factors to consider when aligning security with business objectives.
Best Practices for Aligning Security With Business Objectives
First and foremost, given the increasingly complex regulatory landscape, organizations must ensure that their environments are in line with global privacy laws and standards. Many of these regulations impose heavy fines for violations that could impact the organization’s bottom line. To maintain compliance, security professionals must have a clear understanding of configuration items and their attributes, as well as visibility into the applications, infrastructure, data, transactions, networks, servers, clients, identities and access.
The next critical step is to perform a risk assessment based on the value of the service and assets at hand. Imagine a camera installed in a remote hotel corridor, for instance. The value of the service and the hardware itself is likely minimal, but breaching the camera could be the first step toward a widespread distributed denial-of-service (DDoS) attack. To avoid such scenarios, organizations must recognize the intrinsic value of security.
In addition to an asset’s attributes, it is important to know where assets and data are stored. Cloud storage, for example, carries its own set of risks and security implications. The cloud was a delivery model before it became a business model, and the workloads of existing services are often already hosted there. Since security starts with full visibility, it is critical to identify which services and assets are stored in the cloud.
When implementing security controls, organizations should invest in solutions based on the assumption that they will be attacked. Local security reports and public Computer Security Incident Response Team (CSIRT) data can help incident response teams prepare to deal with a data breach.
Tailoring the Security Operations Center to Business Needs
Finally, organizations should establish security operations centers (SOCs) to facilitate much of the work described above. A company without a SOC is more vulnerable to ransomware, even if it has implemented security controls. An SOC offers visibility into the enterprise and improves the speed and accuracy of incident response.
It is also important to consider which type of SOC aligns most closely with business objectives. If the SOC focuses solely on security information and event management (SIEM), for example, the intelligence it generates is less valuable than if it were integrated with a vulnerability management solution. The SOC can also be equipped with cognitive technologies to share data from a security incident, forensic capabilities to investigate an attack after it strikes and risk management tools to track the evolution of threats.
Securing Your Bottom Line
When aligning security with business objectives, critical assets and services must be secure by design. That means developing products and applications from the ground up and considering security at every step.
Due to the rapidly expanding regulatory landscape and the value of sensitive information to customers and cybercriminals alike, security is essential to any organization’s bottom line. While a data breach is virtually inevitable, ensuring security in every aspect of the business can help organizations respond more effectively. Most importantly, it provides the visibility analysts need to learn from security incidents and bolster the organization’s infrastructure accordingly.
Download the Ponemon Institute 2017 Cost of Data Breach Study