Maksim Kabakou - Fotolia
Security Think Tank: Monitoring key to outcomes-based security
What is the first step towards moving from a tick-box approach to security to one that is outcomes-based, and how can an organisation test if its security defences are delivering the desired outcome?
Too often, cyber security decisions are influenced by the latest security controls and countermeasures demonstrated at industry conferences and a desire to simply choose the most “powerful” tools, regardless of need. Rather than hoping for a one-size-fits-all solution, organisations can move toward an outcome-based approach to security by understanding their appetite for risk and identifying the most important assets to be protected and defended in the organisation.
Traditionally, this can be led by a “negative” approach, with a focus on verbs such as “block”, “deny”, “stop” and “forbid”. A more positive, action-based approach focusing on “allow”, “ensure”, “enable” and “build” takes security from being “an end” to becoming “a way”, and a best practice which can be closely aligned toward business goals and objectives.
Frameworks and best practices, such as COBIT 5, provide guidance, processes and procedures to govern an enterprise’s holistic IT system. The NIST Cybersecurity Framework, for instance, focuses on five areas to defend a company (Identify, Protect, Detect, Respond and Recover), and while they are critical for success, a simple discipline to check if controls are effective is often overlooked: monitoring.
In an epoch where information travels back and forth through networks, in an era where data lives in different clouds, repositories, devices and data centres, it is imperative to monitor these different in/out channels.
Privacy laws such as the EU’s General Data Protection Regulation (GDPR) require businesses to take ownership and be accountable for any data coming in and/or out of the organisation, meaning monitoring really is imperative and not something to be overlooked. Establishing monitoring procedures will enable you to check if defences first provide the desired outcome, and second, assist the organisation in remaining compliant.
There are many ways to check (and double-check) if the security methods you have in place are delivering on expectation – particularly if you are trying to make the transition to a more outcome-focused system. One such method is table-top exercises – tests which allow security teams to simulate a real-time scenario and practise response. Variables such as approach and incident response time, for example, are factors which can be assessed and reviewed against desired business outcomes.
The opposite of security is not insecurity, but complacency, and it is the duty of executives to be sure that cyber security measures are protecting and defending as promised. Begin with business objectives: build a positive case for enabling them and monitor continuously to ensure you don’t fall short of your goals.
Read more about achieving outcomes-based security
- Security governance key to outcomes-based approach.
- Start outcomes-based security with asset identification.
- Shift to outcomes-based security by focusing on business needs.
- Use Cyber Essentials to kick-start outcomes-based security.
- C-suite needs to drive outcomes-based security.
- Enable outcomes-based security in software development.
Remaining proactive and open-minded when it comes to reviewing security measures is crucial in being one step ahead of the next trend in attacks or growing sophistication from threats.
Today, the role of the security expert has evolved: no longer are we required to only safeguard the organisation from an IT perspective, we must cast a wider lens over the business as a whole. An outcome-focused approach to security is imperative to ensure you are aligning security measures with your business’ overall objectives and outcomes.