The one constant in technology: is that nothing is constant. Change is happening, faster and faster all the time. All portions of the business should be looking to wisely leverage new tech (e.g. cloud, mobility, blockchain) to better serve the market.
As a security champion, we’re also excited about enabling new business, but need to be sure it’s done in a methodical way that is safe and meeting current and expanding regulations. You need to champion/actively engaged in these emerging technologies to ensure adoption doesn’t add risk. Burying your head in the sand will only encourage your employees to circumvent existing controls. Here are some of the things we think security leadership like Chief Information Security Officers or Chief Information Officers should be thinking about:
Organizational Security Maturity:
- Moving ahead of tactics and compliance
- Risk based approach to security
- Security as a part of the culture
- Commitment and education at all levels, especially with Board and CEO
- Depends largely on maturity and budget, and the experience of all involved
- Acceptable Use Policies (Include in Company Handbook for employees to sign)
- Supply chain vetting, contractual language for providers
- Breach Notification
- Corporate board oversight and communications escalation
- Rules and Audit
- No circumventing security controls, no running cryptominers on enterprise assets, etc.
- Working through a central organization to instantiate cloud services
- Control and enforcement around Shadow IT
- Enterprise Security
- Confidentiality, integrity, availability, accountability, etc.
- Physical, disaster, and other risk like financial might be in CISO vision too
- Product Security
- Application Security to protect users/customers taken seriously
- Finding a CSO that really gets product security might not be easy, many of more of an IT security background vs. developer background
- SOC 2 (Service Organization Controls) – a specialized audit that the US requires for certain industries that deal with sensitive data, especially financial services. Impacts other businesses for risk and SOX compliance reasons – SOC 2 compliance of external vendors can be a component of SOX compliance, standard audits, or general risk management.
- EU GDPR (European Union General Data Protection Regulation) – a new major regulation going into force in May 2018, reaches far beyond the EU. See our previous blog post on “What’s hot in Cyber” for more detail.
- US State specific privacy laws – currently there is something of a patchwork of privacy laws across different states. Some, like California (CA SB 1386) requires disclosure of any exposure of CA citizen’s private information. These laws are currently on the rise across the country.
- Industry specific
- HIPAA, PCI, DFARS, etc.
- HIPAA (Health Insurance Portability and Accountability Act): health care specific law that regulates the management and protection of sensitive healthcare related data.
- PCI-DSS (Payment Card Industry Data Security Standard): compliance standard created by the credit card processing industry that applies to security in handling credit card processing. Important because of mandated security testing.
- DFARS (Defense Federal Acquisition Regulation Supplement): provides a “basic” set of security controls for contractor information systems. Applies to any organization doing business with the DoD.
Business Need vs. Budget:
- At a high level, security should be connected to business
- Prioritizing actions based on risk
- Where do the crown jewels live
- Octave – A tool for assessing an organization’s information security needs
UEBA (User and Entity Behavior Analytics)
- Similar to DLP, helps establish baseline behavior across a network to detect anomolies
- See our discussion in “What’s Hot in Cyber” for more details
Defense in depth
- Architecture, people, and processes need to be considered
Assembling the team
- Recruit, train, and retain
- Look for the right partners
- What to keep in house and what to outsource
Focus on the basics
- Strong access controls, data encryption, software updates and patching, threat detection and vulnerability management. Many companies are woefully inadequate about doing them consistently. More than 90 percent of attacks take advantage of vulnerabilities and weaknesses that could have been avoided. We see this all the time in our penetration testing practice.
- Expedite manual efforts through automation, if the process is well understood
- Assumed breach mindset
- Leading indicators (patching, recognizance)
- Applies both to security and development apparatus
- Gathering data to make sense of efforts and issues
- Standings on-going, etc.
- Be careful with these: want a culture that rewards finding issues, not covering them up. Can’t claim ignorance.
- Kill chain (detection/dwell time)
Investigating next-gen tech
- CASB, endpoint, firewall, etc. all have next-gen approaches – in many cases without clear winners as to which tech is best
- Setting up systems, tools, etc as needed
- Administering and monitoring tools
- Asset management
- Product security assessment
- Backup / DR firedrilling
- Vulnerability management programs
- Code audits
- Static/dynamic analysis, etc
- SOC for the enterprise
- Log and capture to SIEM (most are migrating to Splunk)
- Response engineers for development teams
- Providing metrics back up to high layers of the organization