What Are the Silver Bullets for Strong Security?
These days, information security is a regular boardroom topic with heightened awareness among senior business leadership. The impact of recent breaches proves that information security is not just an IT issue, but a business issue. It’s great that information security is getting its due because it is enabling security leaders to build and sustain effective information security programs to support business innovation, reduce business risk and meet compliance requirements.
An efficient, sustainable information security program not only provides a robust security posture, but also helps provide regular state-of-security updates to the board and senior business leaders. The program should have realistic goals and focus on building foundational elements to continuously mature the information security capabilities based on defined key performance indicators (KPIs) and key results indicators (KRIs).
Important elements to build a successful information security program include:
- Building user awareness and changing culture;
- Harnessing security intelligence;
- Managing vulnerabilities;
- Managing access and digital ID life cycle;
- Protecting your crown jewels;
- Securing disruptive technologies; and
- Securing third-party business relationships.
Building User Awareness and Changing Culture
Information security is a shared responsibility and not just the responsibility of the information security team. Educating all your users about the information security policies, best practices (e.g., strong passwords, not sharing passwords, etc.) and some key attack vectors (e.g., spear phishing, social engineering, etc.) will help strengthen your security posture.
Collecting metrics to measure the effectiveness of the training and awareness campaigns can aid in improving the overall effectiveness of the program. Metrics have consistently proven that there is a direct correlation between having effective user awareness programs and a reduced number of incidents within the enterprise.
Most of the enterprises that experienced widespread breaches had a lax information security culture. Running effective user awareness campaigns on a regular basis helps build a risk-aware culture, which in turn helps enterprises manage their risk and protect information assets. Once an organization builds a risk-aware culture, information security becomes a shared responsibility across the board.
Harnessing Security Intelligence
Most breaches are not identified and addressed before they cause severe damage to the business and its systems. Building the right security capabilities will help identify any anomalous activities or threats before they become major incidents.
Today, enterprises collect a tremendous amount of intelligence in the form of system logs — network logs, firewall logs, application logs, server logs and more. An intelligent security operations program will consume all this intelligence (and external intelligence, if available) to generate alerts or create actionable intelligence for other IT teams to investigate. Identifying any anomalous activities within minutes or hours of occurrence will reduce the business risk and system impact compared to detecting those activities a few days or months later.
To build an intelligent security operations program successfully, information security teams must train or hire the right skilled resources, develop processes and procedures and implement the right tools and technologies. In addition, appropriate response plans should be developed to respond to any incidents.
Business processes and critical transactions are performed on enterprise systems. These systems — both hardware and software — need to be maintained by standard configurations and updated using vendor-released fixes and patches on a regular basis. This is a very arduous task, and many enterprises struggle to effectively configure and patch their systems, leaving the systems vulnerable to attacks and exploits.
A robust vulnerability management program should be built to identify known vulnerabilities and maintain acceptable systems configuration across the enterprise. Partnering with other IT teams to build and maintain an authoritative system inventory database is the key first step. Once the systems are identified and standard baseline configurations are built, they should be scanned on a periodic basis. Quarterly scanning of critical systems is recommended.
Security experts should partner with other IT professionals to develop processes and procedures to remediate findings from the scans within an acceptable time frame to maintain the desired information security, risk and compliance posture.
Managing Access and the Digital ID Life Cycle
The ability to provide users with right access to the right resource at the right time is the fundamental information security principle.
Users with inadequate system access will not be productive. At the same time, users with excessive system access increase the risk of unauthorized access compromising the availability, integrity or confidentiality of the system. Building a robust capability to provision users with appropriate system rights based on job roles and responsibilities, while at the same time securing access to the business systems, is key to enterprise security posture.
Identity and access management programs should be built to develop new procedures and streamline existing provisioning processes before leveraging tools to automate them. Access to key systems should be secured using enterprise secure login capabilities to enforce information security policies. Where required, two-factor authentication should be enforced to access critical systems.
Campaigns should be run on a periodic basis to enable business owners to certify user access to systems.
Protecting Your Crown Jewels
Information security has finite budgets and limited resources. The best way to spend those resources is to identify and understand what is important to the organization.
Every organization has sensitive data stored and processed across the enterprise systems. This information is critical to running business processes. Any compromise to the confidentiality, integrity or availability of that data might significantly impact the organization’s ability to do business.
Data security programs focused on identifying the key systems and critical data components and implementing appropriate security controls should be built to help reduce the risk of compromise to the integrity, confidentiality or availability of the data or systems.
Identifying and classifying critical data is the key first step. Once the data is classified based on the risk level, the appropriate controls can be implemented. This will enable information security teams to apply controls consistently across various classes of data to manage risk and secure information assets appropriately.
Securing Disruptive Technologies
Information security must be a business enabler. As businesses adopt new, disruptive technologies such as mobile applications, social media, mobile devices or the cloud to enhance customer experience, improve collaboration between employees, break network boundaries to facilitate access to information or reduce IT costs, information security has to be a partner.
Information security teams should evaluate and enable these technologies within the enterprise before losing control due to rapid adoption by the business teams.
In order to be the business enabler, a robust program should be built to partner with business and IT teams to integrate security controls within these technologies in the very early stages of adoption. The reality is that businesses will rapidly adopt these disruptive technologies, so it is better to be ahead of the game and assist in the process than struggle to catch up.
Securing Third-Party Business Relationships
Today, enterprises depend on third-party service providers, business partners and vendors to execute business processes and, sometimes, access assets to complete those processes. This dependency makes services providers and business partners an extension of the enterprise network. Lack of appropriate security controls within them can have a significant impact on security and risk posture.
Information security programs should assess third-party providers and business partners who access enterprise information or receive sensitive data before a business relationship is established. Teams should work with legal and IT professionals when contracts are negotiated to incorporate appropriate language to enforce required security controls and gain access to any compliance reports. In addition, the team should perform periodic assessments of those security controls to ensure compliance with the contractual agreement.
Each of these key elements acts as a building block for an effective information security program to protect enterprise assets and reduce the risk from emerging threat vectors. Defining KPIs and KRIs will enable you to measure the effectiveness of all the security controls and identify areas for continuous improvements to stay one step ahead of threats. Metrics, along with the proper business context, will help give regular, consistent security updates to the board and business leaders.