• Careers | Call Us: +1 315 215 3290

Blog

  • best-practices-application-security

    Best Practices for Effective Security Practices and Execution

    In the earlier post, we looked at the popular myths and misinformation about IT security. In this post, I would like to give a few recommendations for CXO’s to help them shape up and design practical and effective security strategies and execution plans.

     

    Here are my recommendations:

    security-information

    1. Set-up a Security Culture

     

    I believe that security culture needs to be driven from the top of an organization and made a part of everyday activities in an organization. Just as the members of the top management serve as role models to follow when it comes to integrity, the same needs to be applied to IT security.

     

    It’s not just about creating a security policy document, but rather ensuring that the security mindset is practiced all times. Top management has a bigger responsibility to do so. CEO’s should ensure that security is always being considered with utmost care and responsibility.

     

    2. Make CISO’s report to the CEO of the company

     

    While there has been a huge debate going on about what is most appropriate reporting structure for a CISO, I strongly recommend that a CISO should report to the CEO of the company. A CISO reporting to a CIO somehow leads to the perception of security as an IT only issue. A CISO reporting to CFO leads to an inefficient model as there are somewhat contradictory objectives. I have seen CISO’s getting frustrated and complaining about their security programs not being able to make progress because their programs caught in approvals from the CFO’s office.

     

    I believe that the success of security depends on how closely it is aligned to the business objectives. Security never works in isolation and should not be looked as an IT only problem. Security breaches have led to the ouster of CEOs world-wide and it is in the interest of the CEO to be in direct view of the security programs and their effectiveness. A CISO reporting to the CEO can command greater in the organization as well as it sends a strong message about the seriousness of the top management towards security.

     

    3. Security is not an implied phenomenon, but an explicit one

     

    You need to operate your security programs with two principles:

    “Trust but verify” and “You get what you document”.

    These two principles work in tandem. Let me explain this with a few examples:

    • Application security:

      Whether you have used your in-house team or outsourced your application development, you cannot expect application security to be in place unless you ensure that you have defined your security requirements in the requirements document. How many times have you run into this problem that just when you are ready to go-live with your application, the security scanning reports a huge list of security vulnerabilities? Make sure that the secure Software Development Life Cycle (SDLC) process is followed to ensure that security is in place for all of your applications.

    For more details on how you roll-out a secure SDLC, you can refer to my earlier blogs mentioned below:

     

      • Identity and Access Management (IAM): Have you run into this scenario where you bought one of the best products in the IAM space but found that the product does not support integration with many of your applications and the product is not able to implement many of your business processes?If this scenario sounds familiar to you, then let me ask you another question. Did you identify and document your business processes completely and evaluated the product capabilities to meet your requirements? If not then it would be unfair to blame the product. You need to define what you are looking to achieve with your IAM program and identify solutions that would meet those requirements as well as work on customizing the product to meet your requirements.The point I want to drive here is that you need to perform your due diligence and the documentation of your requirements and then drive the security programs with appropriate checks to ensure that your objectives are met. For more details on how to avoid the typical mistakes made during IAM solution roll-out and the Execution Roadmap to follow in order to make your IAM program a success, you can refer to my blog mentioned below: Lets make your identity and access management program a success

     

    4. The efficiency of security products is directly proportional to your efficiency

     

    As I mentioned earlier, just buying and deploying security products in your environment will not be effective to achieve your business requirements. Your security solutions will be as effective as your effectiveness. You need a solution to your problems and not just a security solution. Build solutions around your selected ITsec choices so that you achieve your business objectives.

     

    5. The world is not enough, be READY for the worst

     

    strategy-action-plan

    We cannot expect 100% security for long. You must put the best security controls available in place based on your due diligence and tuning, but there will always be new threat actors and vulnerabilities emerging. Thus security planning is dynamic, and ongoing, not static. Security is not a ‘fix once and forget’ challenge. Furthermore with mobility transforming our lives and the IoT poised to make our lives much more efficient and hopefully better, we are leading to a more connected world with newer and ongoing security challenges.

     

    You need to have a well-defined strategy and action plan in the event of a breach occurring. Many well-known organizations do not have one.

     

    A few key points that should go into your planning are:

    • Which stakeholders to contact when a breach occurs. This will include not just the key organization individuals but also the list of partners, contractors. Also you need to identify the government cyber agencies you will need to contact when a breach occurs and the processes of engaging with them.

    • A detailed plan that your technical team will follow when a breach happens to ensure that panic does not set in and the key people are aware of what activities to do so as to ensure that the affected systems are back in operation and further damage is avoided.

    • A communication plan for your customers, partners, media, board members and government agencies.

    • A process to ensure that the forensic teams are able to capture the required details and present it to your cyber insurance provider.

    • Identify the list of external security consultants and groups in various security domains. These members will prove to be very handy to reorganize effectively after a breach.

    • Have your legal team prepared and legal terms documented.

     

    “When the top line gets hit, Security becomes a bigger HIT”
    TO
    When Security becomes a hit, the top line becomes a bigger HIT”

     

    I hope this article has provided you food for thought so that you work towards correcting the myths associated with IT security and devise a security roadmap and an execution process plan that align with your business objectives. You don’t want to be the darling of the media as a result of getting breached. Let’s change the notion from “When the top line gets hit, Security becomes a bigger HIT” to “When Security becomes a hit, the top line becomes a bigger HIT”. I would love to see world where Security is not operated from a FUD (Fear, Uncertainty, Doubt) mindset but rather it is looked at as an enabler and differentiator for your organization.

     

    Security is a collective effort. Let’s Secure Together!


    About the Author:

    Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.


    founder-and-ceo-sacumen
    linkedin-badge


    Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.

    Leave a comment