March 4, 2016 By Dimple Ahluwalia 2 min read

In a recent article on TechRepublic, researchers at the University of Arizona’s Artificial Intelligence Laboratory described their ongoing study into the operations, interactions and communications of the hacker community. Specifically, researchers noted how organized they are, how tight-knit their community is and how they “always have and always will change things up.” Sound familiar?

Cybercriminals do not necessarily have a formally written framework under which they operate, but it may be surprising to learn that they are organized around some modus operandi. This is deeply cultural, social and unstructured, and it is effective in achieving their objectives.

Establishing a Modus Operandi for Security

As an IT or security leader with strong governance policies and increasing pressures thanks to compliance, business innovations and workforce behaviors, you cannot rely on fixed technology responses to navigate the security minefield. Simply throwing more security technology at a growing problem is like reaching for a simple ibuprofen for a migraine headache: It only provides temporary relief and doesn’t cure the underlying cause. In security, it is important to understand the context and critical interdependencies that put your organization at risk and then set your priorities and guiding principles accordingly.

Thinking about security from the perspective of modus operandi and working with a framework that delivers the guidance and principles behind decision-making helps leaders. Everyone in the organization is better equipped to navigate through the toughest of changes, growing business needs and, most of all, cyber dangers.

At IBM, we work with clients to adopt a framework called 10 Essential Security Practices in which we assess security capabilities, readiness and maturity. Then we develop a profile for security governance and processes, helping clients to establish long-term programs.

Essential Security Practices to Consider

The 10 essential security practices are designed to be the modus operandi for security and IT leaders. The framework encourages professionals to assess and develop appropriate strategies based on:

  1. A risk-aware culture;
  2. The establishment of intelligent security operations and rapid threat response;
  3. Secure collaboration in the social and mobile workplace;
  4. The development of security-rich products and applications by design;
  5. A hygienic approach to securing systems and infrastructure;
  6. The creation of a security-rich and resilient network;
  7. Best practices for addressing security complexities in the cloud and virtualization technologies;
  8. The careful management of third-party security compliance;
  9. Assuring data security and privacy; and
  10. How to manage the digital identity life cycle.

Conclusion

To operate cybersecurity as a true enterprise function, organizations need a framework within which to establish their security program, understand the context and critical interdependencies of initiatives and set priorities accordingly. Such a framework can also be used to identify gaps, monitor progress and achieve other strategic security objectives. This is all done while ensuring security programs are fully coordinated with an organization’s core business objectives and initiatives.

Are you ready to adopt a framework and prioritize a long-term plan for your security capabilities, readiness and maturity? Watch this video series about the 10 essential security practices to learn more.

https://www.youtube.com/watch?v=bWjrVXB0ZvQ

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today