Implementation of top-quality Information security is like playing high-stake game of chess where a smart strategy and the right technology along with an unwavering focus on adversaries is must. Being a company-stalwart, you need to recognize that both the game and the opponents in the game are constantly changing and you would be required to play by new rules and bring much advanced skills and strategy.
Achieving the right information security within the enterprise is becoming almost impossible for most of the companies and organizations. Because there is constant shift in rules of information security and opponents are now armed with more sophisticated technology skills, and the risks are greater than ever
Last few years of global economic downturn further added to the gravity. While today, the threat landscape is rapidly evolving, businesses are clearly falling behind as their defenses have weakened and their information security practices have become dulled by longer periods of tighter-budgets and truncated information security projects. But at the same time, their adversaries are becoming ever more sophisticated, routinely breaching the defenses of business ecosystems and leaving many companies with huge reputational, financial, and competitive damages in their wake. People who know it also know that: The bad guys appear to be leading the game.
Before embarking upon what it takes to achieve right information security, we can candidly state that risks are neither well-understood nor properly addressed by even the companies who think of themselves being the 'front-runner' in terms of information security strategy and execution. And the odds are heavily stacked against them. Too often—and for too many organizations—diminished budgets have resulted in degraded security programs.
The number of security incidents is on the rise. Given today's elevated threat environment, businesses can no longer afford to play a game of chance. They must prepare to play a new game, one that requires advanced levels of skill and strategy to win.
Snapshot of current information security scenario
- Reported security incidents have increased drastically, financial losses due to security breaches have decreased significantly. But the approaches to measuring these losses are often incomplete.
- There has been a long-term decline in the use of some basic information security detection technologies. That's like playing a championship game with amateur sports equipment.
- Organizations are pruning their rulebooks, with some once-familiar elements of information security policies becoming less common.
- Safeguarding information is easier when you know where that information is. But organizations are keeping looser tabs on their data now than they did in years past.
- As mobile devices, social media, and the cloud become commonplace both inside the enterprise and out, technology adoption is moving faster than security.
- Company reputation is roughly as important to budget-makers as business continuity process (BCP) and disaster-recovery is. And a lot of organizations seem to spend on security because they are required to do so by either regulators or internal policy compliance.
- Most companies recognize that protecting customer and employee data is important, but far fewer understand what that data entails and where it is stored. This is significant because customers increasingly want to be in control of their personal data and able to "turn off" the flow of information from companies.
Key Challenges
Like many companies, your company might also be exhibiting the tendencies to proclaim a self-identified front-runner and to overrate its information security practices. This is the biggest challenge.
Today's business environment commonly restricts the funds available for security, and in a challenging recruitment market, this can mean that your company would lack skilled resources. Your CISO or whatever you name him, would need help in terms of both, skills and bandwidth. You need to make him avail a number of technical capabilities to resource your program, and only then, they would be able to add value with strategy, planning, governance, and risk management expertise.
Choosing a consultant that complements your strengths is another major challenge. You should strive to hire the services of a consultant who actually complements your strengths, existing skills, and capabilities. You should not treat them as a replacement for your own staff. Consulting firms should create advantage, allowing you to accomplish more.
Though global threats increase sense of urgency with CISO to implement new controls, they don't have strategic partners who can provide them the necessary expertise in governance, risk management, strategy, and security technologies to meet this sense of urgency.
The sheer number of increased threats and new regulations are overwhelming many security programs. At the same time, skilled information security practitioners are difficult to find, so companies are having a tougher time staffing teams to meet these growing challenges.
An Effective Information Security Implementation
At the end of day, Information Security is about the preservation of following:
- Confidentiality -- protecting information from unauthorized access and disclosure
- Integrity -- safeguarding the authenticity, accuracy and completeness of information and processing methods
- Availability -- ensuring that information and associated services are available to authorized users as and when required.
It is about building appropriate mechanisms to protect all forms of information, whether on paper or electronic, so as to ensure business continuity and efficiency, and the avoidance of breaches of statutory, regulatory or contractual obligations.
Information security now requires strategic thinking, requiring Chief Information Officer (CIO) along with their team of CISOs to prioritize security spending and resources to meet business objectives. Experts have recommended few practices for this new paradigm:
- You align the business objectives and information security. Security traditionally has been understood as a technical sub-discipline within the IT-department of the company. But now, your in-house Information security officers or the IT consultants you hire, must be able to demonstrate that their efforts support the achievement of company's business objectives, becoming a critical asset to your company's success.
- You develop effective security budgets & back them up with efficient resource-allocation. With the rapid dissolution of the boundaries of IT-landscape, most CISOs would find themselves wrestling with mobile workforce, highly virtualized IT environments, and various ecosystems procured from various third-party vendors. All would make it nearly impossible for them to secure all information-assets at the same level. The order of the day is that they find ways and means to prioritize their budgets and judiciously spend the resources at their disposal where they would count more for the organization.
- You ensure the buy-in of business-units and compliance to regulations. Regardless of what solutions you adopt and practices you implement, nothing would achieve much until and unless the effective information security behaviors are instilled among all employees, incorporating these deeply into your organization culture. You must seek to make information security be integral to the way your people think and work. The objective must be that it becomes the second nature to them. Yet you should be prepared to acknowledge the gaps between your perception and the reality, while observing the outlines and interactions that take place on average workday within your organization. Remember: Strategy and culture only pay off if execution is strong. All of the various security tools in the world can only do so much. To create an environment of security and demonstrate adherence to regulatory requirements requires widespread involvement from staff.
- You sternly evaluate and manage all of your third-party relationships. Whether you are hiring third-party vendors or Information Security Consultants for their services to map out and effectively implement information security solutions, or you are deciding to outsource some or all of your security operations, you must subject them to a very stern evaluation process, before taking the final decision. And specially to the factor that how deeply embedded the security within the broader corporate ecosystem of the third party.
- Onus of measuring the value of security implementation lies solely with you. It's the responsibility of information security team to develop sound metrics and measurement capabilities for their implementations. For, they should strive to make smarter decisions about how they allocate resourecs and how they demonstrate the ROI against each investment decision the make.
- You engage in benchmarking activities whenever necessary. Security benchmarking is the only tool left with you, to cross-check your information security capabilities, your security budgets, staffing levels, and results achieved viz-a-viz., your peers.
Go beyond implementation
As discussed above that there has been a long-term decline in the use of some basic information security detection technologies. That's like playing a championship game with amateur sports equipment. A counter-intuitive trend during this era of information security has been the decreasing deployment of many basic information security and privacy tools. Yes, to some extent, this is probably a consequence of last few years of tighter IT budgets. What is absolutely clear is the marked diminution of detection technology arsenals in recent years.
Not only they have been engaged in emptying their information security toolboxes, they have also become the silent witness of a grave relaxation of the policies that set standards across the enterprise. It means that many of fundamental elements of information security policy have dwindled—sometimes sharply—over the past several years. For example, around 50% of companies only have security policies which define backup and disaster-recovery & Business Continuity practices clearly. At most companies, the policies governing issues of User administration, application security, physical security, and management practices like segregation of duties have all seen declines.
With social media, mobile devices, and the cloud-technologies becoming more and more common-place--both inside or outside of enterprises, the rate of technology adoption has sky-rocketed. But security policies and practices are continuously dwindling to the ground. It may be quicker that thought, the cloud becomes part of the infrastructure of our daily lives—and the business also. Yet the number of companies, who are gearing up to embrace all these with putting up of reasonable safeguards in place for mobile, social media, and cloud computing, along with policies covering the use of employee-owned devices, is stubbornly very low.
At technological level, you are advised to strive to implement:
- Malicious code detection tools, i.e., Anti-spywares & Anti-Adware
- Intrusion detection tools
- Tools to discover & disable unauthorized devices
- Vulnerability scanning tools
- Subscription to vulnerability alert services
- Data-loss prevention (DLP) tools
- Security-event correlation tools
You are recommended to categorically define & describe the acceptable practices in your company's information security policy, concerning:
- Data & Information backup
- Disaster-recovery & Business Continuity Process (BCP)
- User rights & management
- Application-level security
- Regular review of users & access
- Physical security of IT assets
- Inventory of assets or Assets Inventory
- Change Management
- Classifying the business value of data
- Mechanics to review & re-view security policy
It is worth remembering that the better understanding the practices of true information security leaders can always help you improve your organization's security game, especially how do they go about implementing their cloud security strategy, social media security strategy, mobile device security strategy, and security strategy for employee use of personal devices on the enterprise.