What Are the Silver Bullets for Strong Security?

These days, information security is a regular boardroom topic with heightened awareness among senior business leadership. The impact of recent breaches proves that information security is not just an IT issue, but a business issue. It’s great that information security is getting its due because it is enabling security leaders to build and sustain effective information security programs to support business innovation, reduce business risk and meet compliance requirements.

An efficient, sustainable information security program not only provides a robust security posture, but also helps provide regular state-of-security updates to the board and senior business leaders. The program should have realistic goals and focus on building foundational elements to continuously mature the information security capabilities based on defined key performance indicators (KPIs) and key results indicators (KRIs).

Important elements to build a successful information security program include:

  • Building user awareness and changing culture;
  • Harnessing security intelligence;
  • Managing vulnerabilities;
  • Managing access and digital ID life cycle;
  • Protecting your crown jewels;
  • Securing disruptive technologies; and
  • Securing third-party business relationships.

Building User Awareness and Changing Culture

Information security is a shared responsibility and not just the responsibility of the information security team. Educating all your users about the information security policies, best practices (e.g., strong passwords, not sharing passwords, etc.) and some key attack vectors (e.g., spear phishing, social engineering, etc.) will help strengthen your security posture.

Collecting metrics to measure the effectiveness of the training and awareness campaigns can aid in improving the overall effectiveness of the program. Metrics have consistently proven that there is a direct correlation between having effective user awareness programs and a reduced number of incidents within the enterprise.

Most of the enterprises that experienced widespread breaches had a lax information security culture. Running effective user awareness campaigns on a regular basis helps build a risk-aware culture, which in turn helps enterprises manage their risk and protect information assets. Once an organization builds a risk-aware culture, information security becomes a shared responsibility across the board.

Harnessing Security Intelligence

Most breaches are not identified and addressed before they cause severe damage to the business and its systems. Building the right security capabilities will help identify any anomalous activities or threats before they become major incidents.

Today, enterprises collect a tremendous amount of intelligence in the form of system logs — network logs, firewall logs, application logs, server logs and more. An intelligent security operations program will consume all this intelligence (and external intelligence, if available) to generate alerts or create actionable intelligence for other IT teams to investigate. Identifying any anomalous activities within minutes or hours of occurrence will reduce the business risk and system impact compared to detecting those activities a few days or months later.

To build an intelligent security operations program successfully, information security teams must train or hire the right skilled resources, develop processes and procedures and implement the right tools and technologies. In addition, appropriate response plans should be developed to respond to any incidents.

Managing Vulnerabilities

Business processes and critical transactions are performed on enterprise systems. These systems — both hardware and software — need to be maintained by standard configurations and updated using vendor-released fixes and patches on a regular basis. This is a very arduous task, and many enterprises struggle to effectively configure and patch their systems, leaving the systems vulnerable to attacks and exploits.

A robust vulnerability management program should be built to identify known vulnerabilities and maintain acceptable systems configuration across the enterprise. Partnering with other IT teams to build and maintain an authoritative system inventory database is the key first step. Once the systems are identified and standard baseline configurations are built, they should be scanned on a periodic basis. Quarterly scanning of critical systems is recommended.

Security experts should partner with other IT professionals to develop processes and procedures to remediate findings from the scans within an acceptable time frame to maintain the desired information security, risk and compliance posture.

Managing Access and the Digital ID Life Cycle

The ability to provide users with right access to the right resource at the right time is the fundamental information security principle.

Users with inadequate system access will not be productive. At the same time, users with excessive system access increase the risk of unauthorized access compromising the availability, integrity or confidentiality of the system. Building a robust capability to provision users with appropriate system rights based on job roles and responsibilities, while at the same time securing access to the business systems, is key to enterprise security posture.

Identity and access management programs should be built to develop new procedures and streamline existing provisioning processes before leveraging tools to automate them. Access to key systems should be secured using enterprise secure login capabilities to enforce information security policies. Where required, two-factor authentication should be enforced to access critical systems.

Campaigns should be run on a periodic basis to enable business owners to certify user access to systems.

Protecting Your Crown Jewels

Information security has finite budgets and limited resources. The best way to spend those resources is to identify and understand what is important to the organization.

Every organization has sensitive data stored and processed across the enterprise systems. This information is critical to running business processes. Any compromise to the confidentiality, integrity or availability of that data might significantly impact the organization’s ability to do business.

Data security programs focused on identifying the key systems and critical data components and implementing appropriate security controls should be built to help reduce the risk of compromise to the integrity, confidentiality or availability of the data or systems.

Identifying and classifying critical data is the key first step. Once the data is classified based on the risk level, the appropriate controls can be implemented. This will enable information security teams to apply controls consistently across various classes of data to manage risk and secure information assets appropriately.

Securing Disruptive Technologies

Information security must be a business enabler. As businesses adopt new, disruptive technologies such as mobile applications, social media, mobile devices or the cloud to enhance customer experience, improve collaboration between employees, break network boundaries to facilitate access to information or reduce IT costs, information security has to be a partner.

Information security teams should evaluate and enable these technologies within the enterprise before losing control due to rapid adoption by the business teams.

In order to be the business enabler, a robust program should be built to partner with business and IT teams to integrate security controls within these technologies in the very early stages of adoption. The reality is that businesses will rapidly adopt these disruptive technologies, so it is better to be ahead of the game and assist in the process than struggle to catch up.

Securing Third-Party Business Relationships

Today, enterprises depend on third-party service providers, business partners and vendors to execute business processes and, sometimes, access assets to complete those processes. This dependency makes services providers and business partners an extension of the enterprise network. Lack of appropriate security controls within them can have a significant impact on security and risk posture.

Information security programs should assess third-party providers and business partners who access enterprise information or receive sensitive data before a business relationship is established. Teams should work with legal and IT professionals when contracts are negotiated to incorporate appropriate language to enforce required security controls and gain access to any compliance reports. In addition, the team should perform periodic assessments of those security controls to ensure compliance with the contractual agreement.

Each of these key elements acts as a building block for an effective information security program to protect enterprise assets and reduce the risk from emerging threat vectors. Defining KPIs and KRIs will enable you to measure the effectiveness of all the security controls and identify areas for continuous improvements to stay one step ahead of threats. Metrics, along with the proper business context, will help give regular, consistent security updates to the board and business leaders.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…