19 of the top CISO’s and security executives from around the world came together to give their advice on what security teams should be focusing on in the New Year. This week, the Security for Business Innovation Council (SBIC) released an in-depth report expounding on the suggestions. The major industry thought leaders included FedEx CISO and VP of Information Security Denise D. Wood, Coca Cola’s CISO Renee Guttmann, and Intel Chief Security and Privacy Officer Malcolm Harkins, among other security big shots.
The group of CISO’s came up with five recommendations on the best ways to advance security programs in maturity, how to address critical security issues, and how to get ready for the future. The group sees a huge shift coming in the not-so-distant-future in the way we approach security that demands a complete overhaul of current systems, moving from an ad-hoc approach to much deeper integrated security efforts.
1. Shift Focus From Technical Assets to Critical Business Processes
Whereas the traditional idea of security revolved only around the information assets, like servers, networks, and applications, information security has evolved to include precious business assets. Advanced Persistent Threats (APT’s) are designed to attack the business outputs of an organization, so a security model that excludes an emphasis on how business is conducted is no longer sufficient. Organizations need to frame security efforts to include critical business processes, protecting the information that flows within those processes.
The CISO’s recommend thorough documentation of business processes with the idea that the security team should work with each business unit in order to document the most critical processes in a way that is continually updated.
2. Institute Business Estimates of Cybersecurity Risks’
Security teams need to act as risk advisors to upper level management and dictate the security risks in business terms, integrating business estimates into the risk-advisory process. Shifting away from an FUD (Fear, uncertainty and doubt) approach, today’s security teams should be able to illuminate actual, possible risks with their potential financial impacts.
Martijn Dekker, Senior Vice President and CISO of ABN Amro, put the need to express security risks in business terms and with solid facts nicely:
“The security profession is under pressure now to come up with ways to quantify security risks. Because as organizations spend more on security, they’re asking ‘Why are we spending so much on this? How big are the risks?’ It’s becoming more and more important that we can justify that spend.”
3. Establish A Business-Centric Risk Assessment Process
The CISO’s third recommendation is to create a more complete depiction of the business and security risks by automating the risk process and allowing for more flexibility in assessing risks during high-stakes organizational opportunities.
In automating the process, the report recommends a new risk assessment be performed for each new project with an allotted budget for follow-up assessments. The automation of the process allows faster turnaround for the assessments and a bigger picture of the risks involved in each project. If a certain project yields a high amount of risk, the security team would be able to pinpoint it, and analyze the assessment further.
This process also breeds more flexibility within the risk assessment, allowing the security team to decide, based on continuous reporting, whether a set project yields an abnormal amount of risk and whether or not that risk should be accepted or not.
4. Set a Course for Evidence Based Controls Assurance: Quality over Quantity
Today’s security controls have to be able to multitask in a very significant way. They need to be able to persistently meet business criteria while protecting against real-time threats and allowing for flexibility within the business – all while showing the business the security controls’ are worth their weight. Whether that’s a BYOD policy, your organizations policy on creating and storing passwords, how and where employees enter data into your system, etc., each need to be able to provide evidence on how it’s working within the organization.
The report stresses the importance of quality over quantity in the case of information security. The group decided on an 80/20 rule, stating that only about twenty percent of security controls will provide the bulk of an organizations’ security while the other 80 percent don’t necessarily need be at top of mind. It’s vital for the security team to identify that twenty percent and put focus on them in documenting, reviewing and gathering evidence.
One of the long-term goals for organizations refocusing their security efforts should be to work towards more automated monitoring that will allow a visual report on how the controls are working and real-time alerts if a particular control is not.
5. Develop Informed Data-Collection Methods
Using data analytics in the best possible way is the fifth and final recommendation from the report. This data has become essential in researching past issues in order to prevent future attacks. Use cases are the perfect way to use the analytics your security team compiles; answering a question related to defending those critical business procedures is an ideal way of parsing through a huge amount of data.
Tim McKnight, Executive Vice President of Enterprise Information Security & Risk at Fidelity Investments says:
“The biggest challenge of data analytics is getting meaningful outcomes. Focus on the information that runs your business and develop the questions you want to ask. Otherwise, you’ll be swimming in data.”
Read the whole report from EMC here.
Latest posts by Sarah Vonnegut (see all)
- How Secure is Your Online Banking App? - February 26, 2018
- Top 5 OWASP Resources No Developer Should Be Without - January 9, 2018
- Smart Cities: Can My City be Hacked? - December 11, 2017