The following is a guest post by a 2016 Secure360 Twin Cities Platinum Sponsor sponsor LogRhythm.
The threat landscape for 2016 hasn’t really changed, except for a few minor adjustments. We are still seeing nation state threat actors, financial crime groups, hacktivism, terrorist organizations and commodity threats (e.g., CryptoLocker).
The majority of these groups are just using variations of the same tactics they’ve always used to infiltrate organizations. As a society, we have a new found knowledge, visibility and awareness of these threats—but they are not new.
Unveiling the dangers of security intrusion in control systems
The media has done a phenomenal job at helping information security professionals send the message about what a successful intrusion could mean for a brand. It took a few companies to be the example for others to realize that the threat is real, they can be targeted and they don’t want it to happen to them.
It takes a business-savvy security professional to interpret what the executives and the board hear in the news into how that could impact the business.
Any security professional who makes an assumption that executives fully understand information security and all of its jargon is foolish. The universal language of business is about dollars and cents; not about risk and risk mitigation.
A security professional can raise awareness about the dangers of a successful intrusion and translate an event into direct business impact.
The first step in building security for the enterprise is to develop a strategy. The information security strategy should be fundamentally built on the risks, threats and impact to the core business.
A business impact analysis can help you to understand how the business operates from a people, process and technology perspective and map your strategy to that.
By aligning your strategy to what’s important to your business, not only will you know what to protect and how, but you will also gain support from executives. In the end, that is what should be important to you.
Once you understand the risks, threats and impacts to the business, then you can map the people, process and technology strategy accordingly. Once you have the complete strategy built, then it’s all about execution, which is the hardest part.
Role of the government in augmenting network security practices
I see a number of companies being considered “critical infrastructure” now. The Department of Homeland Security (DHS) defines critical infrastructure as “the backbone of our nation’s economy, security and health.”
Healthcare was only added a couple of years ago, and today we’re seeing companies like Google and Facebook included, or they will likely be included very soon. When tagged as “critical infrastructure,” the government enforces higher standards as it relates to cyber security, but it also invests heavily in helping the company meet those standards.
The above items are in addition to more stringent controls being added to PCI, HIPAA, NERC-CIP and other regulations that are already out there. Failure to comply with a regulation can have a direct and negative impact on a company’s bottom line.
Takeaways from cloud security strategies
Moving to the cloud can be an effective and secure strategy. Oftentimes, the right cloud provider can protect your data better than you can. However, don’t always make that assumption.
When moving to the cloud, it is even more important that you understand your business and the business impact. The grueling work you put in up front with contract negotiations will pay dividends on the back end.
Bake security requirements and controls into the contract, establish security baselines and security service level agreements, ensure the company is SSAE18 SOC1 and SOC2 compliant, and make sure they can meet your specific regulatory requirements. The front end due diligence in evaluating a cloud provider is critical for long-term success.
Decoding the duties of CISOs and CSOs
My role and the general CSO role have changed exponentially in the past four or five years. From an organizational perspective, security is at the forefront and no longer takes a backseat to IT or other administrative positions.
The CSO presents to the board and can impact the overall direction of the business. If an organization is looking to go international or acquire another firm, security is now included in that decision.
From a technology perspective, the CSO is still charged with protecting the entire organization. As the rate of technology advancement increases, the landscape of what must be protected increases.
It’s no longer just about protecting IT resources. As we now are seeing in the new world of the Internet of Things (IoT), the blend of consumer and corporate technology within an organization is an interconnected web.
The CSO must work with facilities’ units for their Internet-accessible HVAC systems and thermostats, for example. And they must be aware of medical devices that roll around on carts with one end attached to a patient and the other end attached to the network.
All of the consumer devices that people now use are integral parts of their day-to-day jobs. Companies are introducing smart devices one after the other without thinking about the unintended consequences, and the CSO is responsible for it all.
The Security Intelligence Maturity Model™ (SIMM™) provides a systematic guide for an organization to assess and, in turn, actively achieve a heightened security posture. Understand your business risk and discover the state of or organizations cyber security posture. Download now.