Sapsiwai - Fotolia
Time to shift information security focus away from prevention, says Swiss bank CISO
Organisations need a new approach which recognises security is “breakable”, according to Michael Meli
Most organisations need to shift their focus to hacking detection and intervention – and away from prevention – the European Identity & Cloud Conference 2016 in Munich has heard.
“There will always be someone who clicks on a malicious link, or an unpatched system, obsolete software, zero-day vulnerability or unknown vulnerability which attackers can exploit,” said Michael Meli, chief information security officer (CISO) at global Swiss private bank Julius Baer.
Determined attackers will always get in if there is something worth taking or that can be used for extortion. For that reason, Meli said organisations need to shift to a new security paradigm that recognises security is “breakable”.
The aim of adding detection and intervention to the traditional approach of prevention, he said, is to reduce the attack surface at the network perimeter and so limit damage.
Four areas need to be improved
In making the transition to this new approach, Meli said there are four areas that require work.
First, there is a need to move from security simply being a gatekeeper to being an intrinsic part of every project and process, acting as an advisor to ensure security is part of the design.
“For this to work properly, the security function needs to be empowered to challenge design decisions, and consequently needs to have the necessary technical knowledge to do so,” said Meli.
Second, this new approach to security requires a change of culture, where every employee feels they have a role to play in making the organisation safer.
“Information security professionals also have to stop saying ‘no’ to the business, and start saying ‘yes’, while making it clear what has to be done to make it secure at the same time,” said Meli.
“Security needs to be seen as providing solutions for reaching business goals, and success is the business going to security for help to solve business problems,” he said.
It’s important, said Meli, for security to have an excellent relationship with the CIO and other key stakeholders, which improves every time security helps to solve issues.
Third, transparency of security is important, via the implementing the full plan-do-check-act (PCDA) lifecycle.
“It is vital to know the weak spots and remediate with a risk-based approach,” said Meli. “It is equally important for security to be measurable and for reporting to be automatic, relevant and actionable.”
Finally, this new approach needs to be supported by technology that enables organisations to adjust their security posture dynamically in response to threat intelligence.
“A global and centralised view of all relevant security threats is important, as well as having the detection capabilities that match the risks,” said Meli.
The Challenges remain
However, while advocating the transition to this new paradigm, Meli conceded there are several key challenges, with one of the biggest being that “this transition typically requires organisations to adjust and even re-write their information security strategy”.
Other typical challenges include that the current organisational setup does not support the new paradigm to allow security to feed into projects. Also, there is a need for new or different soft skills to be able to steer or influence the CIO.
Disaster recovery and business continuity management processes need to be updated, while there needs to be a rethink regarding patching and hardening processes.
“Breakable security is not only about technology; it is a transformational approach that may require effort over five years to ensure that it is relevant and actionable, and it will require additional investment,” said Meli.
Read more about security detection
- UK firms are operating from a reactive security posture and tending to symptoms, rather than causes, and yet still believe they can detect threats faster than the industry average.
- Most US IT professionals are confident in key security controls to detect cyber attacks – but unsure how long it would take automated tools to discover a breach.
- The traditional approach to information security that is focused on prevention is failing because it looks only at known threats.
- Security is constantly changing, which means security professionals need to be proactive, says a former US military CIO.