In 2007, we published an article The 7 Reasons Why Businesses are Insecure!.
We decided to revisit the topic and not surprisingly, little has changed.
We’ve not seen a need to change the framework components (and in some cases, we’ve left the original text). If anything, the relevance and structure of the framework; (it’s order and definitions), and importance has grown. But, as technology has evolved and the way we use technology has grown, basic failures in effectively managing business risks has slipped further behind.
1. Management and Governance – From our 2007 article; “If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention”.
In an upcoming article, we’re going to be expanding on this topic and looking at how IT Risk must and will become a part of a Board’s overall Risk Management Governance and Oversight responsibility. (Few [Boards] do it now and even fewer to levels that align with governance and oversight they provide to other equally as important business risks).
This was briefly touched on in a recent article by the Sydney Morning Herald: Changed laws will mean more IT scrutiny.
The bottom line is that while a culture can be developed at many levels within an organisation and driven by passionate people, ultimately, a corporate wide adoption and success of how a business moves forward, must be supported, promoted and governed from the top.
In 2007, we wrote: “When we do ‘State of Security’ reviews for our clients, we pretty much have 90% of our report written after the first hour if we find this layer of the framework not in place. i.e: you can be guaranteed that if there is not an effective and ongoing management and governance layer in place, overall security within the organisation is weak”. This holds true in 2012.
2. Environment Awareness – To have effective Risk Management and Information Security practices in place, you must have a clear and definitive understanding of what it is you own and what you want/need to protect.
How can you define policies and standards and acceptable usage policies without this? How can you enforce policies and standards compliance? Importantly, as an organisation, how can you effectively demonstrate that due care is in place in your organisation in the protection of your assets and actions of your people in their use of your Information Technology assets without that clear and definitive understanding of what you own (and use).
Further reference to a 2007 article:
In 2012, organisations are finding this even tougher as applications and other services are migrated to the “cloud” (where is the data? who has access to it?), social media sites not owned nor operated by your organisation become an integral part of your business strategies (eg; marketing) and the growing adoption of BYOD and mobile technologies makes any DLP strategy almost useless.
3. Policies and Standards – From the 2007 article; “Most companies now have security policies and standards but are they of much value? If you don’t have an effective management and governance layer in place to own, manage, maintain and enforce good practice and if you have gaps in awareness of what makes up the corporate environment, how good are they?”
As noted in the previous section, with the evolution and adoption of new technologies that further make security a more and more complex task, the importance of clearly defined, relevant, up to date and communicated rules for the use of a company’s Information and Technology systems are vital.
4. Policy Compliance and Awareness – From the 2007 article; “Policies and standards are all good and well but if you’re not doing what you say you should be doing, the security program is useless. Stating the obvious I know, but this is the story more often than not from our experience”.
5. Assurance Program – The “Assurance” phase of a security framework should be just that – organisations “testing” to confirm they are doing what they say they should be doing as defined in their policies and standards.
Historically though, “assurance” testing for most part has been addressed as a standalone program that rarely directly relates to an organisation’s policies and standards.
Rather, it is used independently “to identify issues arising from the deployment of new technologies and problems from weak practices in existing technologies”. Without context and relation to expected use of Information Technology, results rarely make their way back to any form of update/maintenance of existing policies and standards that would help from a broader perspective.
In the 2007 article, we listed examples of good practice assurance program activities that all companies should be addressing.
In 2012, we’re seeing more and more companies adopting ongoing assurance programs, but how many are doing it smart and how many are wasting their time and money? Here’s a few examples of what’s sadly more the rule than the exception:
It’s no wonder some question the merits of penetration testing for example. Penetration testing is not the problem. It’s still one of the best “assurance” exercises a company can perform. The problem is what people are testing, how they are testing it and what they are not testing.
6. Incident Management and Response – From our 2007 article: “If any of the above fails and an incident occurs. (Assuming the organisation knows an incident has actually taken place, and take the tip, most companies have no idea unless it’s one that has walked right up to them and slapped them in the face). Most organisations have little or nothing in the way of documented and tested response plans. (Lets add DR to this also). How can an organisation quickly and effectively respond to something if there is no plan?”
Since 2007, how often has the following seemed like the standard for Incident Management and Response:
7. Strategy and Performance Assessment – [We’ve left this section in almost its entirety from the 2007 article. For no other reason than to be able to address this component of the framework, a good measure of success needs to have been in play across all previous components of the framework].
In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date. Few organisations take a holistic view when assessing the effectiveness of their IT security strategy. I know “metrics” and performance assessment in the IT security industry has been debated since day 1, but lets not confuse systems and detection metrics, as a couple of examples, with “strategy” level review.
An IT Security strategy should encompass a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself. In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum;
1. Articulation of the Security Strategy.
2. Translating Strategy into Desired Outcomes.
3. Devising Metrics.
4. Linking Metrics to Leading and Lagging Indicators.
5. Calculating Current and Target Performance.
(based on work done by Rayport and Jaworski, eCommerce)
By nature of doing business electronically, an organisation cannot remain secure without a proactive plan / strategy that takes a holistic and enterprise view of the risks the organisation faces.
A strategic framework is vital in the field of security management because it provides a structure to help analyse the complex requirements and highlights the dimensions of importance. An effective strategic security management framework is vital in describing the business’ short and long term plans to; secure its environment, what its goals are, how it plans to achieve those goals and how it will continue to achieve new goals required to keep pace with evolving security challenges. It should be linked to other strategies within the business such as relevant components of the overall corporate strategy and the IT strategy and functional strategies that will evolve from the security strategy itself.
As I said, managing security around a framework will not in itself solve all the problems but it is the start. Without one, organisations will continue to flounder around a bunch of disjointed practices, rarely relating to other practices and with little context to the overall objectives of securing a whole business environment.
We could start talking about the legal and regulatory environment and how it relates and impacts upon the above, but we’ve beaten that topic to death for years. Maybe it’s time we did an update on that area but we’ll save that for another time.