- 16 Dec
New Year Resolutions for Security Leaders
It’s that time of the year where most of us would reflect on how the year went and look at the coming New Year with hope for greater success, peace, prosperity and so on. One of the common thoughts that come to everyone’s mind is to look at ways to be better than before and that leads to creation of list of resolutions.
Security Leaders, irrespective of the designations they carry, are in the process of drafting the resolutions for the New Year for making security better through amalgamation of People, Process and Technology. This article’s purpose is to serve as a guiding point to Security Leaders for their resolutions towards making Security as an Enabler and Differentiator for their organizations as well as to lead them to greater success.
Treat Security as a Business Unit
I have put this at the Top of the Resolutions list simply because the success of Security depends how well security is aligned to the Business objectives of the Organization.
I have seen many CISO/CIO complain about the lack of budgets for Security. It’s very important to explore the reasons for it and I would say the primary reason for this is the lack of visibility of the value created by Security programs and this happens due to security programs getting executed as Technical IT projects.
Run Security as a Business Unit.
Running Security as a Business Unit will be able to achieve the following:
Apply Governance and achieve the alignment of Security programs with Business objectives
Put the required Structure, Process and Procedure – Governance will include a set of metrics to indicate the health and progress of the Security program. This will ensure that the Security programs are assessed on regular intervals to ensure that it’s aligned to the Business objectives.
Establish RACI for better clarity and accountability
Help you establish RACI (Responsible, Accountable, Consulted, Informed) matrix to ensure that the Roles and Responsibilities for the Security programs are clearly defined and assessed regularly for efficiency and correction.
Make you look for newer avenues for value generation
Security business unit will always be looking out for newer avenues of value generation. The newer avenues can be in areas such as SMACI (Social, Media, Analytics, Cloud, and IoT) as the Organization will look at adopting it for greater growth. You will always be thinking of how your Security programs will enable your organization to take on the business or technical initiatives feeling confident about its security..
Utilize your finances effectively and responsibly
Security business unit will Track costs and perform cost-benefit analysis for all initiatives. This will help you prioritize your investments using risk based approach. You will be pressed to show the tangible and intangible outputs targeted to be achieved for each security program that will be executed.Example for Tangible outputs:Tangible outputs for an IAM (Identity and Access Management) program can be:
Reduce the employee on –boarding time from 2 weeks to 3 days by 1st year and from 3 days to 1 day by 2nd year.
Reduce the Administration cost from current annual cost of $800k to $300k by 1st year.
This will help you drive your demand for more budget from Top Management as it’s a data driven model you will be following.
Plan and manage the Capacity requirements
Any business unit will need the capacity forecasting and this will apply the same for your Security Business unit.
Executing security projects under Program Management will help you develop the appropriate portfolio of security projects, and then develop the plan bringing together the information on projects, resources, timescales, monitoring and control.
Establish Performance driven culture
This will help you to establish Performance driven culture thereby achieving a high level of employee performance, goal alignment and engagement. The Performance matrix will be applied to People, Processes and Technologies and this will ensure that you know what is working well and what needs correction and even elimination.
So the next time someone ask you what you do, tell them you run the Security Business unit for your organization and it’s primary goal is to have Security as the enabler and the differentiator.
Make your Employees say that they “Believe in and Love Security”
A saying goes as “Omelets cannot be prepared unless the Eggs are broken”. I will say “Security cannot be achieved unless your employees believe and live it”.
Your employees can be your biggest strength or your biggest weakness and it applies very prominently for Security of your organization. One of the findings from IBM’s 2014 Cyber Security Intelligence Index is that 95 percent of all security incidents involve human error.
Security culture needs to be driven from the Top and made part of everyday activities in your organization. Just as the Top Management serve as role models to follow when it comes to Integrity, the same needs to be applied to Security.
Security awareness training need to personalized and customized based on various functions and roles in your organization. Don’t have one generic Security awareness video circulated and used for this very critical activity. Have assessment of Security awareness not just through the standard online test but also through mock exercises and fun activities. This makes your Employees more involved and committed to ensure that your people are the best guard of your organization.
Look within – Strengthen the Internal Security Assessment process
Compliance is the primary driver of Security. Many organizations work towards compliance rather than security. I have seen organizations proudly talking about being compliant to certain compliance and deriving a conclusion that they are secure.
Keep the following points in mind w.r.t Compliance:
Most Compliances are not prescriptive.
Compliance assessment is a snapshot of the environment for the defined scope at a given instance of time.
With the threat vectors evolving at a fast pace you cannot just be looking at external Compliance assessment to let you know the gap areas. Focus on building a strong Internal Security assessment process in such a way that the assessment and the corresponding gaps resolution happens on a continuous basis and not only on an annual basis.
You and your team members have the best knowledge about your business and environment and are best placed to perform the most effective assessment and resolution. Identify, promote and celebrate the champions in various departments for their involvement and support in performing internal security assessment.
The world is not enough but be READY for the worst
100% security is not possible. You can try to put the best security controls based on your due diligence and tuning, but there will always be new threats and vulnerabilities. With mobility transforming our lives and IoT poised to make our lives even better, we are leading to a more connected world with newer security challenges.
Let’s play out a scenario…
“You are the CEO/CIO/CISO of your organization and you receive a call midnight. You are told by your team that a few prominent security forums, a Hacker group have posted messages a few hours back that they have been able to hack into your organization servers and customer database and have sensitive client data with them. You are told that your IT team is not able to access the critical servers as the privileged users (admin) accounts have been compromised and the password have been reset. You are told that the Hacker group have sent an email demanding a ransom of multi-million dollars to avoid further damages to your organization.
Within few hours the news spreads and the bad news starts coming from all ends. Your stock prices have tumbled by 10% in the opening hours of trading, your clients have sent escalation emails demanding explanation, media people are outside your office (or even home), your board members are informed through media of the breach before you could tell them, and your IT team has told you that it has no clue on how to manage the situation.”
The above scenario is chilling and scary but is something that is happening very frequently these days. You would not want to be caught unprepared for such scenarios. In fact you could survive the breach impact and come out more strongly if you have ensured that you have as well defined strategy and action plan should a breach occur. Many of the well-known organizations do not have one.
Few key points that should go into your planning are:
Stakeholders to contact when a breach occurs. This will include not just the organization individuals but also the list of partners, contractors and don’t forget your board members. Also you need to identify the state and government cyber agencies you need to contact in case of breach and the process to engage them.
A detailed plan that you technical team will follow in case of a breach to ensure that panic does not set in and the members are aware of the activities to do so as to ensure that the affected systems are back to operations and further damage is avoided. Disaster Recovery (DC) and BCP (Business Continuity Plan) should be well defined, reviewed and made available to all the relevant stake holders.
Communication plan for your customers, partners, media, board members, and government agencies.
Process to ensure that the Forensic team is on job to capture the required details and present it to your Cyber insurance entity and the Court.
Identify the list of external Security consultants and groups in various security domains. These members will prove very handy to fight effectively against a breach.
Have your legal team ready and legal terms documented.
There are many more points you need to plan to have an effective After Breach Plan. But remember that just putting up a plan will not make you fully ready. Conduct mock Breach scenarios at defined intervals in your organization to gauge the understanding and preparedness of your organization when any breach occurs. Such mock exercises will ensure that your organization responds in a matured, professional and planned manner in case the breach occurs. As they say “The more you sweat in practice, the less you bleed in war”!
Secure SDLC – We all want it but don’t have it
Are you one of those who call up security experts and straightway ask them whether they do “Penetration Testing”?! This question validates the common approach taken for Application security that Security is remembered only at the Testing stage or worse just before the Final deployment.
Whether you have used your in-house team or outsourced your application development, you cannot expect application security to be in place unless you ensure that you have defined your security requirements in the Requirements document. How many times you have run into this problem of just when you are ready to Go-live with your application and the security scanning reported a huge list of security vulnerabilities?
Security is NOT an implied phenomenon but an explicit one.
Two important points to remember:
Trust but verify
You get what you document
Follow the above 2 principles to ensure that secure SDLC is indeed effectively applied for your applications
For more details on how you roll-out a Secure SDLC, you can refer to my earlier bogs mentioned below:
APIs will make me a HERO
It will be surprising for me if you have not realized the value of API (Application Programming Interface) or treat API as just a web-services implementation.
Due to the frenzied pace at which Technology growth has happened, happening and will happen, we are approaching towards a pretty complex heterogeneous Infrastructure environment. With the fast paced growth of multiple networking protocols and messaging formats, organization will need to plan for putting one standardized Infrastructure capable to address current and future requirements.
APIs should be your answer and strongly embedded in your strategy. Most of the Security Technology Company’s (Facebook, Twitter, Salesforce and list goes on) revenue is being driven through APIs. The whole Application economy is being built on APIs.
APIs are much more than web-services implementation. APIs are the mode of communication between Machine to Machine, Human to Machine and Machine to Human. APIs are your products. APIs will keep you future ready.
There are spectrum of transformation initiatives possible to be built using APIs such as:
API Monetization: Make money through your APIs. Publish APIs that provides valuables data and functionality to your clients and partners and charge them on API usage.
API Security: Security controls that you build in various applications in varied platforms and languages can be moved to the API platform and you have one API platform providing the standardized security controls for your applications saving time and achieving standardization and better control.
Developer ecosystem: Is it not wonderful if you have a bigger external developer community (apart from your internal one) to build wonderful applications and utilities using your APIs?! API Platforms provide you that. You do not need to send your wsdl/wadl file to each developer but publish it through your API platform providing quick to use sample code with clear explanation of the API usage and specification. Makes life simple.
Analytics: Data is your key asset and the insights and knowledge built on that data is what drives revenue. Is the API platform not the right place to perform your analytics operations as you have access to the Application Layer data? Think of possibilities on how you can transform User experience and provide better services and have better connects through real time analysis of the data available through your API platform!
Look at having a commercial or in-house built API Management platform. API Management platforms will provide the one standardized Infrastructure capable of helping you achieve the transformational power of APIs!
Make Identity and Access Management program a foundation pillar
Building a strong Identity and access management (IAM) program is essential to ensure that only the right people have access to right resources at the right time for right reasons.
Don’t execute IAM program as another IT project. IAM program is one the security domains that is most closely associated with Business processes and Business owners. Ensure that your IAM program is well aligned with your business objectives as well as with business processes.
You should also look at moving towards usage of 2FA (Two factor authentication) at least for all your critical applications and servers. Also to address the Inside threat you can look at having a Privilege user access control solution to have better control and visibility over your Privilege users (Admin users).
You can discover the typical challenges in rolling out IAM program and a detailed Execution Roadmap to make your IAM program a success in my other article available at:
I take the responsibility to make my organization securely fly on the cloud
With the acceptance of Cloud growing and many organization leverage cloud for their business initiatives, one of the fundamental questions that I see organizations grappling with question on how much I am responsible for the Cloud. In fact many organizations love to believe that the Cloud security is completely the Cloud provider’s responsibility.
To make your life simpler please remember this “Whatever you put on the cloud is your responsibility”. Map it to all the Cloud deployment models and you will have a clarity on what you need to take care of. Cloud security is a shared responsibility. Cloud providers such as AWS, Azure etc. have provided various security controls from the perspective of Identity and access management, data encryption, application security etc. It’s on you to assess the effectiveness of those security controls and may it to your unique requirements. You should ensure that you effectively configure and implement the security controls provided by Cloud providers. You should also ensure to put your extra security controls that would help you meet your business and compliance requirements.
Remember it’s your business and hence it’s your responsibility to make the Cloud security effective as per your requirements and Cloud is just the usage of someone’s computer!
I hope this article has provided you food for thought for shaping up your resolutions for Security in the New Year. The New Year will be fascinating and will provide us newer ways to explore and live life. I wish you all a fabulous New Year!!
Security is a collective effort. Let’s Secure Together!
About the Author:
Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.
Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.