In a recent article that was published at CSO online, I reflect on several issues that the security industry is currently facing. Given the almost daily headlines about data breaches, it is obvious that there is a need for a new way of thinking and executing. However, all too often the majority of the security folks are “cementing” the status quo.
By comparing the PCI DSS with its network segmentation, encryption, no-storage etc. requirements with the health care’s HIPAA law (with its Privacy and Security rules, further defined by the HITECH act), or the financial ’s realm with SOX or the professional service provider’s SSAE16 (former SAS70) it is clear that almost all of these reactive regulatory pieces are desperately needed to protect the third party’s (the consumer or patient) best interest.
However, no one seems to think about better processes to perform electronic remote payments or to create, access, process health information only where/when needed and store it in a patient-controlled mobile device with military-grade encryption.
Why do we allow banks, credit bureaus, insurance companies, doctors, health plans, utilities, and the many other entities for either authentication or verification purposes to misuse our Social Security Numbers (SSN) and thereby only create the potential for fraud and ID-theft?
These are all reactive and ineffective controls. Instead, one should ask: “How can we make sure that processes are designed and built so that they are secure and can’t be overwritten or fumbled with by management, or IT super-users, or others?” and “How can we control/access/publish financial parameters of a company (entity) that they become early-warning / leading indicators, and ensure transparency to all – so that ‘insider-trading’ and similar threats are not possible by design”?
We should create systems and processes where a change is 100% detected, tracked, and managed (accounted for), so that misuse, fraud, insider-trade etc. is not possible. In my new book I show ways we can build in security by design. Here on The State of Security I have referred about security architecture before, and I would like to explain more about the strategic approach to systems and processes.
There are certainly several ways to get from point A to point B – and not always is the direct way the best one. It’s important is that you are capable of “thinking outside of the box” – adapt your strategy to the situation at hand, and if the books tell you otherwise, think of what is the best and right way forward in the specific situation your company is in at this time.
Of course, doing the BIA (business impact analysis) first has a lot of wealth and will give you all the reasons you can think of why and where to spend the money – but the reality is that a well done BIA takes a lot of time and requires (to be honest) a full blown process analysis, which rarely has been done before you joined the enterprise. It therefore may well be necessary to define the org chart (book chapter 12) and set policies (book chapter 15) in place (governance is highly important), even when you couldn’t do the full analysis work before.
I created the chart below (Figure 1) and have tested the approach in a real world setting – the outcome was highly successful, and so I share this here to help you. It is still aligned with the widely adopted COBIT processes, and from a 36,000 feet view, you will find the Plan-Build-Run-Monitor in all successfully run corporations. Feel free to adjust the given examples to your world and also to shift some items around where you see fit.
An important point is to make an impact and improve the overall security situation as soon as possible. This will then build your credibility bank, which is quite important at a later stage when you need to leverage those relationships and trust:
This approach follows the basic steps of defining and building the right security organization (and may very well entail changes to the current org chart). Set and approve the top level, detail the security policies (standards, procedures), and perform a process analysis, followed by an analysis of the supporting systems of those processes.
Comparing these analysis results with your policies (or at least vision) will provide you with probably many “audit” findings, which in turn lead to remediation projects. What you don’t measure you can’t manage, and to be able to manage your security program you therefore need KPIs (key performance indicators) or similar parameters which help you to analyze if your program is successful or needs adjustments.
Over time (including long term), these will serve your program to foster and stabilize the patient (the enterprise) and will prove that the investments have resulted in actual improvements of the risk profile. I provided several KPIs in my book in Chapter 23 for those that are interested in the details.
Finally, since the world spins around and technology develops quicker than ever, new risks will be introduced and will need to be addressed, so it is important to always keep a close look at the risk continuum and new developments – maybe you need to adjust your organization, policies, etc. – and there is your security cycle – a new round of improvements.
Thus far this has been about the strategic approach. Also, culture and behavior will always play a big role because we all are humans – we need to educate people as to what is ethical, what integrity really means, what a human being is capable of when incentivized (either correctly or incorrectly), and continually develop, build, perform and improve our all behavior.
We should also accept the fact that there is always room for improvement, and cementing the status quo is absolutely not an option. Should you be facing statements like “This is the way we operate” or “We’ve always done it this way!” you should definitely defeat them.
If you’re a leader, you’ll influence and change that culture and behavior in your organization over time. So I challenge you to not accept the status quo but to instead ask the right questions, come up with new approaches and ideas, develop well-thought-through and well-designed processes, systems, and controls. That will improve security over time so that we can overcome the current crises.
About the Author: Michael S. Oberlaender (@MSOberlaender) is a world-renowned security executive, thought leader, author and subject matter expert and has worked in executive level security roles (CSO/CISO) both in the US and EU (Germany) and in IT for over two decades. Most recently he has been serving as Chief Security Officer for the largest European cable network provider (Kabel Deutschland AG) in Munich, Germany and before served as Chief Information Security Officer for FMC Technologies Inc, a leading oil field services and engineering company in Houston, TX. Prior he was the Global IT Security Manager for Heidelberg Americas, Inc. in Atlanta, GA – the US subsidiary of Heidelberger Druckmaschinen AG -the world leader in printing press manufacturing. Before that he worked several years as Project Leader Security and Networks with Suedzucker AG in Mannheim, Germany, the world market leader in sugar and Europe’s largest food company where he has planned, built and run their complete Internet binding and DMZ solutions. He has more than two decades professional IT experience and is a member in good standing of (ISC)², ISACA, InfraGard, and several industry associations and is certified CISSP, CISM, CRISC, CISA, ACSE, and GSNA (all current and in good standing). He holds a Master of Science (Physics) from the University of Heidelberg, Germany. Michael is dual citizen (US and German) and speaks fluent English, German, fair French, and continually learns Spanish. When he is not at work, at conferences, chapter meetings, crises managing or otherwise busy, he enjoys time to relax with his family. Michael is also the author of C(I)SO – And Now What?: How to Successfully Build Security by Design, which is available at CreateSpace and Amazon, and from which the above article has been extracted from with his permission.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- PCI DSS Compliance is No Security Guarantee
- Part Two: PCI DSS 3.0 – The Devil is in the Details
- How PCI DSS v3.0 Will Affect Your Organization
- The Skinny on PCI DSS 3.0 Compliance Changes
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock