2012 has been a tough year for IT security and the trend seems to be continuing into 2013. We have now become accustomed to groups such as Anonymous that have wreaked havoc on a number of large government and corporate organisations. A new frontier in cyber threats has opened. The driver for cyber intrusion is no longer fame, but theft of intellectual property, financial information, blueprints and other classified information for financial gain.
Within the article, I will cover five challenges that are currently facing CSOs and suggest some solutions to these.
The Ever Increasing Threat Landscape
Problem: The threat landscape seems to be growing exponentially. The rise of Advanced Persistent Threats has opened up a new frontier in cyber threats were the driver for cyber intrusion is no longer fame, but is more geared towards stealing of Intellectual Property, etc. for financial gain. And then we had Stuxnet, Duku and Flame which changed the face of modern warfare and propelled it in the cyber age. Considering these new threats begs the question – what do we do?
Solution: The game may have gotten tougher, but it is still the same game. In order to mitigate these threats, organisations need to take a methodical approach to IT security. A simple security framework, such as one described here, would help. Start off by referring to and using a globally accepted standard such as the ISO 27000 series or CoBit. Using the guidance and controls contained within these bodies of knowledge, perform a risk analysis to assess how strong your organisation’s security controls are compared to how strong they should be as described by these standards.
Taking a risk based approach is critical to IT security as it is often hard to justify IT security spend. IT security is like insurance – we seldom see the benefits as we are spending money to avoid ‘something’. That is why it is important to understand what is it that we are avoiding and if this event occurred, then what would the cost to the business be. Also ensure that you understand what you are protecting and why. Classify your information, at least at a high level. Understand what this information is and how critical is it to your organisation. Without this understanding a risk analysis becomes very difficult to conduct as you do not know what you are protecting andP why. The why is important as well, as this is what you use to determine the controls that you need to apply to protect the information. There is no point spending more money to protect the information than it is worth.
Once you have identified the control gaps in your organisation, put a security roadmap in place to address these. Treat this activity like a program of works with the appropriate discipline applied. Link each initiative and project to clearly defined business outcomes and measure and demonstrate Return on Investment in terms of the risks that are being mitigated relative to the value of the information being protected. The project is likely to span 18-24 months and should cover people, process and technology.
Once you have remediated the gaps, then the real work begins. There is a famous saying that the wise look for the next highest mountain to climb once they have conquered one and the next process is not too dissimilar! Once you have addressed the gaps then the maintenance phase begins. Ensure that you have a plan in place to monitor your security environment for threats 24x7 so that you can activate the relevant countermeasures. Review your environment through activities such as a risk analysis, vulnerability analysis and penetration testing at least every six months to ensure that nothing has deteriorated. Pay particular attention to user education as users can usually be the weakest link in the chain, and disaster recover considerations as if the worst was to happen, then you will need a plan to bring things back up again. Only with this methodical approach can you thwart the ever increasing risk of cyber threats.
More Compliance Burden
Problem: PCI DSS, HIPAA, SAS 70, SOX 404 – the list goes on. With so many compliance requirements now being heaped on organisations, how does one stay on top of these? The questions that arise include:
• What do all of these mean?
• Do they apply to me?
• What do I need to do to comply?
• How should I budget for these?
• Where can I get resources to achieve compliance?
• How do I keep the rest of the IT function going?
Solution: The reason why I have spent a bit of time on the previous section is that all of the above can largely be covered by the process described above. Compliance only becomes a burden if it is treated as a ‘tick box’ exercise and not integrated within the overall security framework. A robust security framework will more than cover any compliance requirement.
Compliance requirements typically only specify minimum standards whereas a security framework should be geared to achieve more than this. And if you are failing to meet your compliance requirements, then you are not protecting your IT environment adequately and a security framework is either not in place or implemented incorrectly. So the trick here is to integrate your compliance requirements into your overall security framework. Satisfaction of these requirements, including resourcing and budgeting for them, will be achieved as a by-product of your security framework.
Having to do more with less
Problem: The GFC saw a worldwide squeeze on IT budgets and this trend seems to be continuing with the current state of the global economy. Unfortunately this has become a double edged sword as while budgets are being constantly squeezed, security threats are for ever increasing. Interestingly enough there is a correlation between a weak global economy, high unemployment and cybercrime. All of a sudden you have a whole bunch of talented people with no source of income with some of them turning to crime as a means of supporting themselves. So the question arises – how do we balance the IT and IT security needs, and the books at the same time?
Solution: This particular issue requires an innovative approach. I have seen some companies leverage a combination of onshore and offshore resources to support the entire employee base. Today CIOs and CSOs can explore a structured global sourcing approach. With a combination of onshore and offshore resources, balance in terms of cost and security can be achieved. Specify relevant performance and security standards and outsource the ‘rudimentary’ components. Maintain some onshore resources to perform governance over the work performed offshore to ensure quality and security. Remember- the key to a good outsourcing methodology is to outsource the work, not the accountability so that you stay in control. A similar model lends itself well to managing and monitoring security logs and events. It is often cheaper to use a specialist provider of managed security services who can lower costs by providing a cost leveraged model as opposed to having these costly resources in house and having to retain them.
Lack of Skilled Resources and Staff Retention
Problem: IT security resources tend to be quite scarce in the market and costly. Furthermore, due to this scarcity, these resources move about in the market quite a bit. Finding scarce resources and then having to replace them can be quite a costly and time consuming exercise.
Solution: Implement a talent recognition program and employee development program that recognise and reward performance above market standards. Remember, monetary rewards alone will not retain staff. Providing an interested environment to work in and other non-monetary benefits such as flexible working hours, gym memberships, etc. will go a long way towards retaining key talent. Security staff tend to be hungry for knowledge. Having a good staff training and development program is essential. Having well engaged staff has its benefits as they tend to stay and spread the word which in turn helps attract more talent into the organisation.
Consumerisation of IT and New Technologies bringing New Challenges
Problem: The last 12-24 months has a number of consumer IT devices creep into the organisation. Many of us have staff walking around with personal iPhones, iPads, etc. that are connected to the corporate environment. Furthermore, related to the above point, it is almost mandatory to allow staff to bring their own devices into work in order to retain them! Add to this the cloud phenomenon and you have a paradigm shift in IT security that requires a completely new approach as outlined below.
Solution: Bring Your Own Devices (BYOD) requires are layered approach to security. Having robust policies in place that are clearly communicated to staff is key to ensure that staff know their obligations and do not put corporate information at risk. Providing some level of security on the end devices is required as well. Technology in this space is maturing slowly and there are a variety of Mobile Device Management (MDM) solutions in the market that can help. And finally, securing your internal network and corporate assets. Treat all user devices as untrusted machines and segregate your corporate information accordingly.
The second item I touched on earlier is cloud. It is important to take a business-driven approach to cloud adoption. Understand the value of your information. Understand the controls you need to apply to protect this (as dictated by security framework discussed earlier) and only put information in the cloud that can be secured to the standards that you dictate. Without a doubt there are cost savings to be had, but make sure you have considered the following risks:
- Non-compliance with Privacy and other relevant laws
- Loss of Intellectual Property
- You will be subject to local laws where data resides – data protection laws, redress issues
- Ambiguity surrounding data ownership esp. upon sale or bankruptcy of provider
- Lack of a robust infrastructure and/or DR provisioning
- Complexity and lack of control when logging and monitoring data
- Adequacy of security over data
- Separation from other cloud provider’s customers
Within this brief article I have tried to cover what I believe are the top issues facing CSOs today. With considered and carful effort these issues can be overcome and could be turned into an opportunity for the organisation if managed well.____________________________________________________________________________________ About the author:
Ashwin Pal is a Service Line Manager with Gen-i and specialises in information risk management and IT security consulting. Over the past 15 years, Ashwin has worked with multiple Tier 1 organisations both here and in NZ to design and implement their security frameworks, architected technical security solutions in support of customer security frameworks, written security policies, developed and implemented security review programs, and designed and performed a variety of technical and business focused security reviews. Ashwin’s passion is taking security related business requirements and architecting technical solutions to satisfy these requirements.
Ashwin is a CISSP, CISA, CGEIT, CRISC, CSSLP, CCSK, C|CISO, PCIP, ITIL.