Written by Corinium on Nov 19, 2019
The intensity of these events is growing, but these are all simply examples of threats against your business. An effective security management program (ISMS) allocates budget and resources to existing and new threats as they become or are predicted to become relevant to the specific business model that is being protected.
First understand the key commercial objectives of the business, and then ensure that you have a solid position on cyber and information security threats to the achievement of those objectives. There will always be a technical element to information security management, but if you cannot be heard as a proponent of business risk reduction, then you risk becoming just another IT stream. Effective security program delivery can prove that security risk has been reduced, and that security event and incident recovery will minimise impact and effects of any actual impact should an incident occur. Informing the business of this objective requires communication and partnership. It also requires a separate but very similar partnership with IT.
I disagree. Cloud security offers an opportunity to re-assess a majority of the technical and procedural controls that have become almost mandatory for effective security delivery over the past ten years. If these are seen as spaghetti requirements, then it is very likely that existing ‘data centre delivered’ security controls may not be delivering what was expected. Understanding who needs and who has access to your information systems, their role and behaviour is not a new concept, it is however a minimum basic cloud control. This in addition to identifying the business and regulatory aspects to the protection of all information that will be located within cloud environments. Lessons from cloud security information architecture and processes always offer benefit to legacy internal controls, both simplifying and strengthening them.
If the principles described within the response to (9) are followed there is a foundation for a value based dialogue with the non-technical executives. This is probably the most critical lesson to take forward. Non-IT executives have little or no interest in the technicalities of IT, or indeed any cost that does not represent a nett benefit. Profit/Loss/risk indicators define your direction.
Security priorities must always align with those of the business itself. Any information security strategy must be based on measured reduction of identified business risks. If you are unable to express how security systems and resources will both enable rapid progress and help protect and retain profits then you are simply offering another type of IT deployment, but practically one with little direct visible return.
To effectively and successfully outsource information security management requires the same level of understanding as building it yourself. To be successful any security outsource must measurably protect a business against threats to its core business objectives. This is not simply buying IT security systems, it is an active delivery of risk reduction. If that risk reduction is not recognised as the primary driver then security outsource is rarely effective, and often more expensive than initially anticipated.
Resilience, Patience, Understanding, Competence, Stubbornness, and Persuasion. In combination with an open willingness to listen, explain, re-explain and to repeat the communication of these attributes to business.
Emerging risk identification is part of any conventional ISMS. Any security program that does not recognise that security is a continually evolving process, and not just a set of technology deployments, has probably failed.
As long as communication to the board is based around opportunity and risk any topic is valid. Avoid any non-risk tactical discussion that is just about technology and metrics.
In My View…
Defining, creating and implementing a full business risk aligned information security strategy that both supports business and offers protection and risk reduction.
There are many, but probably the most significant in terms of proven value and achievement of objectives have been the deployment and operation of Access Governance platforms that are both accepted by business and deliver ongoing practical and tangible benefits that greatly exceed their annual cost to deliver.
Just another threat to be evaluated and placed in a risk context appropriate to our business.
Traditional IT Security always focussed on perimeter protection, and was often infrastructure based. Contemporary Information security focusses on protecting the value of information. Internal actors often have a greater perception of that value, and significantly greater opportunity and visibility to exploit vulnerabilities in its protection.
Emerging risk identification is part of any conventional ISMS. Any security program that does not recognise that security is a continually evolving process, and not just a set of technology deployments, has probably failed.
An active awareness of what can go wrong, and how and when it will go wrong. Effective information security management requires a solid understanding of risk, as well as a good understanding of both technology and human nature. An ability to express and communicate these is critical to a successful career in security.
First understand what you are trying to protect, and how it needs protection. Any security product must deliver recognised and measured reduction against risks that are real for YOUR organisation. Ideally this discussion should not be controlled by the company that is trying to sell you a product.
Explaining that simply having IT security platforms deployed is not a solution on its own is the greatest challenge. Although Information security will inevitably require a significant investment in security IT, just having those tools does not deliver security risk reduction unless they are used within a monitored and managed ISMS framework.