Essential considerations when making changes to security

When it comes to security policies and practices, there are rules (both written and unwritten) that need to be adhered to. An organization simply cannot implement changes to security on the fly as it could lead to disaster. Yet, there are times when changes are necessary, or mandated due to an incident response plan. In that instance, what should business leaders be focusing on?

[Security spending continues to run a step behind the threats]

CSO recently posed a hypothetical question to a few sources. When it comes to adjusting or adapting a security policy -- that is, changing what's already in place due to any previously unforeseen event such as a security breach, downsizing, employee termination, etc.--what are some key considerations that business leaders need to focus on or keep in mind?

"Start with first principles. Understanding what matters to an organization (PII? PCI? Intellectual Property?) is the jumping off point for a robust and modern set of security controls, and absent focus, organizations tend to react to incidents rather than organize a coherent set of investments and behavioral changes that will yield measurable results," explained Kevin O'Brien, enterprise solution architect, at CloudLock.

After that, he added, "Know where you want to be as a result of your change, and ensure that you can apply metrics to it... Security is often at the junction of what end users are interacting with, and how; it makes sense to control for data walking out the door via print-outs if and only if your users are physically accessing files in an office with a printer, for example."

Otherwise, modern environments tend to be highly distributed, and platform solutions (Salesforce, Office 365, Google Apps, etc.) define both the types of data that matters to ordinary users and the mechanisms through which they can access and externalize them.

"A robust security plan will address those environments specifically, and provide a means of measuring incidents and responding to them in real time," O'Brien said. But don't confuse auditing with control.

"Insight is not security on its own. Security policy should not only lay out what may or may not be exposed, but also how a breach or loss will be addressed, both in the short term to limit the damage done, and over the longer term to mitigate the exposure vector and reoccurrence risk."

[CSOs face ongoing paradoxical challenges, according to report]

Given the same hypothetical question, Michael Daly, the CTO of Cybersecurity and Special Missions for Raytheon, told CSO that business leaders should capture metrics on the current environment in order to understand compliance to the current policy. From there, the organization would need to project the state of compliance with the draft policy. While this happens, the organization should "avoid creating any policy for which you cannot measure your compliance."

"Understand the relationship between your draft policy and the legal frameworks (law, regulations, executive orders, national standards) in any area where this policy would apply, including your enforcement mechanisms; for example, if you create a new policy that will involve monitoring the use of the Internet, be sure to take into account the requirements for employee notification, data protection, data retention restrictions, disclosure requirements, etc," Daly explained.

[3 habits of successful data center security teams]

Moreover, organizations should have a communication plan to notify employees (as well as suppliers and partners if needed) of the change in policy, the reason for the change, and how they can comply, Daly said.

"Communications should be very brief. Avoid policies for which compliance requires extensive communication or training," he said.

Organizations should also avoid creating policies that require persistent exceptions ("waivers"), and avoid policies that cannot be implemented with controls that prevent deviation. Compliance should be automatic and transparent whenever possible, Daly said, adding that business leaders should "make it easy to do the right thing."

When posed with our hypothetical, Eric Cowperthwaite, the Vice President of advanced security and strategy for CORE Security, highlighted three priorities: impact, cost, and the Law of Unintended Consequences.

"As an example you want to roll out a new password scheme changing passwords from 6 digits to 8 to improve security. If you are dealing with a smaller organization, this task is not that daunting but as soon as you get involved with a geographically diverse organization, or a company with many departments this becomes a more difficult task," Cowperthwaite said, explaining the impact side of his answer.

"For these larger organizations you need to conduct a business impact analysis. As part of that analysis you need to figure out how to roll out the changes, the impact of the changes, deployment issues, and communications for the changes," he said.

Sticking to the password example, Cowperthwaite mentioned cost as another consideration, pointing out time as a key expense.

"If we ask 100k people to change their passwords how much time will that take? What is the cost of that lost productivity? Does the cost in lost productivity outweigh the benefit of a more secure system? A cost-benefit analysis is needed. In some regulated industries, there are mandated staff ratios that need to be maintained, if you take a person off the job for a training session or update class, you need to backfill that position to maintain compliance."

[6 essential components for security awareness programs]

As for the Law of Unintended Consequences, Cowperthwaite kept to his password policy change example, and pointed out the fact that the organization will need to deal with the possibility of legacy systems that cannot adapt to the new policy, as the character requirements for passwords are too large. Moreover, there are the possible behavioral changes that the policy will create, the hold-outs who never get around to changing their passwords, as well as debate between longer, simpler passwords and shorter more complex passwords.

"In a large organization even a seemingly small change requires massive amounts of planning," Cowperthwaite said, hammering home the downside to an ever-connected business world.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOGoogleInsightRaytheon Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place