Today’s businesses face the most dynamic and challenging security landscape ever seen, and it’s not getting any better. Attackers are persistent and technically advanced in how they approach their targets, and the potential impact of breaches is getting larger due to the interconnected and digitally dependent nature of businesses today.
Traditional approaches are no longer sufficient. Building a secure perimeter, trying to keep the bad guys out, and reacting to incidents when they occur will not deliver the security that companies now require. A new approach is needed that enhances the techniques learnt over the last decade to deliver a way of managing information security that is commensurate with the challenges posed to businesses.
Organizations are dealing with several key challenges as they develop and implement their strategies, including the take up of cloud, the need to be digital by default, the amount of data generated, the breakdown of the traditional enterprise perimeter, and the inevitable squeeze on budgets. All of these are being embraced by businesses, but ensuring a business is secure while it undergoes these dynamic changes is still an evolving challenge.
Businesses need to align their approach to information security to their business strategy. This is fundamental in ensuring that the business buys into security and that it becomes an enabling function. There must be a shift from the reactive handling of information security to a much more proactive approach. This will enable businesses to get onto the front foot. As with most strategies, there are several interconnected elements needed for enterprises to succeed in embedding this new approach into their business strategy.
Create a Rapid and Effective Response
Enterprises must develop a strong and effective response capability. In today’s world it is very much a case of when, not if, a security incident happens. Each incident may not be a major breach, but a consistent and well-defined approach to handling security incidents will enable a rapid response, allowing the enterprise to resume normal operations as quickly as possible. The response process needs to include people, process elements, and technology, and should be consistent with the other response processes within the business.
Focus on Business Critical Assets and Data
With the massive amount of data that an enterprise consumes and utilizes, and the rapid expansion in its virtual perimeter, trying to secure the whole organization is no longer feasible. As a result businesses should start to focus on the data and assets that are critical to operations, and look at how they protect them.
"A secure perimeter, trying to keep the bad guys out, and reacting to incidents will not deliver the security that companies now require"
Through a phased approach which starts by securing the most critical assets, a business can rapidly reduce its risk, and as progressive levels of critical data are then brought under the new approach to protection, the business risk is also progressively reduced. This risk-based approach will also enable the business to better position appropriate levels of controls, whether those are technical, process or personnel based.
Develop a Security Operating Model
The long-term aim of the strategy is to build security into the fabric of how the business operates, and to ensure that it is considered from the outset, rather than having to be bolted on at a later date. To do this, enterprises need to develop a security operating model. By having a foundational model it becomes easier for an enterprise to ensure that it covers all aspects of the business, including third parties, partners and legislative or regulatory requirements.
The operating model also serves as a foundation against which a business can look to improve its maturity. By measuring itself realistically against the different areas of an operating model, an enterprise can establish a consistent approach to understanding its current posture, and identify areas that require improvement and development. This process of ongoing development will enable the enterprise to secure the delivery of the broader business strategy.
Businesses will always face a challenge to keep up with hackers and criminals who continuously evolve their tactics and approaches. However by transitioning from being reactive to having a proactive approach to information security, enterprises can put themselves in a much stronger position. This will allow them to articulate to board members and shareholders that they understand the threats they face, and more importantly that they have the right controls in place to mitigate those threats effectively.
About the Author
Rob Lay is a solutions architect in the enterprise and cybersecurity business within Fujitsu. With over 15 years in the industry, Rob has a technical background, having worked in both managed and professional services. He focuses on the business aspects of information security, with experience in helping clients develop mature approaches to the governance of information security and risk.