Maksim Kabakou - Fotolia
Security Think Tank: Communication, processes and tech: A new beginning for security
How can infosec pros and data architects work together to support business goals and achieve a good level of cyber security?
The world is multi-dimensional, and any activity has to be oriented in several dimensions. Business matters are no different, and require a degree of communication abilities, understanding and flexibility never seen before, especially when it comes to safeguarding critical information and digital assets that are critical for the continuity of the business.
Professionals who work in the fields of risk, compliance, auditing, assurance, governance and, basically, anything related to supporting corporate goals are tasked with a series of duties that have, at the end of the day, one unique goal: protect and defend, protect and defend, protect and defend. All of the time, in any given circumstance.
It is imperative that infosec professionals understand the business goals and—as COBIT 2019, ISACA’s governance framework indicates—embrace the objectives of the corporation, comprehend why an initiative is being born, and how to give further control and visibility to the tasks of identifying, preventing, protecting and monitoring it.
Of course, to understand business goals, proper communication is key to success. Of all the things I am about to mention, communication represents the most relevant pillar for infosec professionals to embrace the project and, consequently, suggest the right countermeasures, controls, processes, procedures and technology to defend it in a robust and solid way.
Another very important aspect of the joint venture of building the right umbrella to protect the business is to further understand the surface of attack – that is expanding and amplifying as new platforms, technologies and environments are appearing.
Working together (the business and IT) will mean having a proper conversation about the threat landscape and the risky behaviours of some departments within the company. In that conversation, metrics and indicators have to be built and agreed upon so that the ones that have to protect can effectively and efficiently do so, and the ones that have to build the business, make it bigger, better, more profitable, can do so without the fear of the next exploit, vulnerability or data breach.
I chose the word “umbrella” earlier, as many enterprises around the planet are already in the “cloud” dimension. And the idea of the umbrella helps us to understand that in the very same way that in the physical world an umbrella prevents us from getting wet, the “digital umbrella” will protect from leakages from several clouds (in plural since there is more than one cloud).
Read more from Computer Weekly's Security Think Tank about how infosec pros and data architects could work together to support the business and protect data
In a world where business use clouds and different platforms that are a target for cyber criminals, the question then becomes, “Who’s buying umbrellas that prevent organisations from getting wet in this digital epoch?”
No other profession is better equipped than infosec to adapt and adopt new approaches that stop the threats coming in the form of cryptojacking, formjacking, phishing, smishing (SMS phishing), vishing (Voice/VoiceIP phishing), and more.
While communication is critical, the holy processes of monitoring and auditing are also instrumental for success since they will provide visibility into what is happening in the network, in mobile devices, in the datacentre.
Monitoring is not only mandated by common sense but also by some regulations (like the EU’s General Data Protection Regulation (GDPR), for instance) and, in my opinion, they have to be built with the business, for the business, through the business.
It doesn’t make sense to create cyber security strategy without the involvement – and understanding – of the business, and it is imperative to sit and talk, build, design, and come to an agreement. Success is a consequence of that process.
Using frameworks and best practices do help, of course, but nothing will ever be relevant to the business without the explanation about why things are done, why that control has been built and what we are protecting in the corporate arena.
For that, I’ve had the pleasure of being engaged in executive workshops so as to explain risky behaviours and even demonstrate wrongdoings in the day-to-day operations of a corporation. Thus, showing the impact of misbehaving with data and explaining the consequences of not doing the right things in the right way is a good way to get management buy-in and sign-off for cyber security activities. Again, having the right communication and building the channels to engage in not a technical conversation but a business conversation seems critical here.
The human factor
Last but not least, the human factor plays a very important role, and any investment into awareness training, education, information, etc. is more than welcome.
There is no successful cyber security program in the globe without training people on a continuous basis. The threat landscape changes with new vectors of attack and hybrid approaches from cyber criminals, and every dollar invested in educating people around this is worth it. It is common to think about the triad, people-process-technology, and ISACA's COBIT 2019 and CSX certifications explain this in an amazing way.
But, now, there is another “triangle” equally important that sits on top of the former one: culture-structure-strategy. This is where infosec professionals and businesspeople need to shine – in the understanding on where the company is going, what is the employee culture, who reports into who and how the company is built.
Then, setting the right tone and using the appropriate technology to safeguard the environments that are important for the entity is the next step; defining and deciding the enterprise architecture will be a consequence of that conversation. Because communication, between humans, with business in mind is all that it takes. Let’s talk.