With the number of cyberthreats constantly on the rise, maintaining effective IT security has never been more challenging. Within many organisations, it’s resulting in growing feelings of panic.
For CIOs and CISOs, the task can be daunting. They must balance the requirements of the business for flexibility and agility with the need to ensure core data and applications are secure at all times.
As well as the constantly evolving threat landscape, IT security teams must also work through an increasingly complex mix of security products and services. With established players extending their offerings and new vendors constantly appearing, figuring out the best options can become a full-time job in itself.
For senior executives and board members, compliance is just the beginning: Boards need to provide confidence to shareholders, customers and partners to ensure that the business can continue to reach its goals. Suffering a cyberattack can result in anything from short-term disruption to significant financial damage. It’s clear that security has evolved from being an IT problem into a business problem.
Taking a framework-based approach
Faced with this growing complexity, organisations need to take a different approach to their cybersecurity activities. While purchasing and deploying tools and services on an “as needed” basis may have been sufficient in the past, a comprehensive security framework is now required.
A cybersecurity framework is a formal process that matches up business risk with IT security controls to treat the risk. Properly implemented, a framework will provide guidance on both the selection of appropriate security controls as well as the operational actions required to ensure control continues to minimise risk throughout its lifecycle.
A cybersecurity framework that is becoming increasingly popular within Australian organisations is one developed by the US-based National Institute of Standards and Technology (NIST).
The core of the NIST framework comprises six key functions that, together, deliver robust security protection. To be undertaken concurrently, the functions are:
- Identify: Not all assets are worth protecting. Not all assets are threatened. Identifying where those two intersect is the key to effective and efficient security. All elements that need to be protected should be identified and documented which then provides a solid foundation for the other functions. Each element must be understood in a business context so that any disruption that could occur can be quantified.
- Protect: The organisation should draft and implement appropriate safeguards that will ensure the delivery of critical services in the event of a cyberattack. This will help the organisation limit the potential disruption and allow core activities to continue.
- Detect: The IT security team should put in place tools and processes that will allow it to rapidly detect and identify a cybersecurity event if one occurs. This would involve the deployment of monitoring tools that can alert staff should an anomalous event take place or unusual network activity be noticed.
- Respond: A thorough list must be developed of the steps that will need to be taken if and when a cybersecurity incident happens in order to minimise impact on the business and other stakeholders. As well as the technical aspects, the list should cover what will be required from areas such as human resources, public relations and legal affairs.
- Recover: Steps need to be taken to develop and implement appropriate measures to ensure the organisation can return to normal functioning as quickly as possible after an incident. These steps need to cover everything from the restoration of IT infrastructure and applications to the notification of any affected customers and partners.
Keeping a business perspective
As well as providing a blueprint for an organisation’s IT team, a comprehensive security framework will provide clear guidance for all business groups.
Should a cyber incident occur, it’s likely there will be widespread confusion and even panic. A framework can help to avoid this by giving people a clear perspective on what they need to do and when they need to do it.
For example, should devices become compromised by an attacker, it might be tempting for users to simply switch them off. However, this approach could actually be detrimental as it may make it more difficult to determine whether the attack falls under "eligible breach" definition for mandatory data breach reporting laws.
From the management perspective, it might be hard to know how to respond to media enquiries or calls from distressed customers in the aftermath of an incident. By having in place a framework that clearly spells out the steps that should be followed, any miscommunication can be avoided.
Organisations that adopt a framework approach to cybersecurity will be much better positioned to deal with new threat and challenges as they emerge. Doing the groundwork now will result in a more secure future.