Defining The Ideal Security Strategy

Data security in both the public and private sector has received intense scrutiny in recent months with a rise in the number and severity of breaches. For example, the Information Commissioners Office (ICO) in the 11 months leading up to February 2012 received 467 reports of data security breaches by public sector bodies in the UK alone, with a further 263 cases in the private sector.

In 2012, the ICO has issued fines totalling more than £700,000, including the first penalties ever given to an NHS body and a police force.

With stricter regulations governing data inevitably coming into force, the impact to any organisation of a serious data breach has never been greater. While the CIO is ultimately responsible for the outcome of any IT initiative, including the security programme, he can most directly enable his team to be successful by ensuring the security strategy of the company enables and complements the underlying business goals that must be met, which is no small task.

Part of the objective for the CIO and his Chief Security Officer (CSO) is to clearly define security processes so that all employees, from the boardroom down, understand the role that they must play to keep data secure. Additionally, the right technology is needed to meet organisational security goals and objectives, just as it is for any IT business initiative.

By closely aligning their security investment to reflect the rapidly changing business IT landscape, organisations will be able to more easily meet changing compliance obligations while reducing the risk that a business-impacting breach will occur.

Defining security processes

Security processes are the backbone of a good security strategy – they give everything else structure. However, as the IT infrastructure and the way users interact with it become more complicated, so the processes can become unwieldy, outdated or even irrelevant.

Organisations must identify, define and validate existing processes as well as identify and create new processes that should exist. Thereafter, they are in position to automate processes as a way to more efficiently execute the security strategy.

By automating security processes for an organisation and removing unnecessary human intervention, errors can be reduced and resources are focused in the right areas. Such automation actually enables the CIO to more easily allocate resources to focus on enabling and securing new business initiatives such as a more cloud-centric thinking, greater mobility and so on.

The role of the CSO continues to manage response to insider attacks, threats to sensitive data or unauthorised changes to business-critical systems. In this way, the best elements of automation meet the experience and insight of CSOs to ensure that responses are consistent, speedy and appropriate and let his boss, the CIO, more effectively track business goals.

For example, an incident response processes built around Security and Information Event Management (SIEM) technology can more effectively incorporate anomaly detection, forensic analysis, identity context, reporting and will streamline and reduce the length of time to respond to events and mitigate their effects. This in turn gives the CIO greater confidence that business units are operating securely even as they execute on new IT plans.

Identifying the right technology

Vital to any underlying security strategy is the ability to provide employees with privileges based on their roles to enforce strong controls and ensure that all internal and external activity is monitored to provide visibility into any potential misuse of privileges and external attacks.

The security solutions available to the CSO to incorporate into security strategies include end-point security, DLP, malware detection, good authentication, web session intelligence, identity and access management (IAM), identity and access governance (IAG), secure provisioning and security information event management (SIEM) solutions.

Identity and access management/governance tools enable CSOs to manage and control who has access to what data and when, ensuring that only those who require access receive it. This also allows the CIO to, in turn, enable business owners (rather than IT managers to grant, certify and re-certify the access that has been given to users to meet compliance regulations.

This level of control is important because of the ever increasing complexity of interconnected systems and applications plus the vast number of employees and connected individuals who could be accessing resources, systems and applications at any given time, in a combination of physical, virtual or cloud environments.

CSOs need to assure that employees have appropriate access in order to support the business IT goals of the CIO and visibility & control, which are imperative when it comes to monitoring potentially risky behaviour company-wide.

When taking a deeper look at SIEM solutions, remember that they can do much more than simply monitor device and user activity. They are designed to help quickly identify security threats to an organisation and highlight potential breaches before significant damage is done. Through analysis of network event and log data in real-time, SIEM solutions can alert the security team to any potential security risks, data breaches and insider threats.

Crucially, when IAM and SIEM are deployed together, organisations can look at the full context of a user’s activity and evaluate user roles and privileges, adding a level of valuable insight to a security environment and laying the groundwork to more easily roll out new business-enabling technology – a key capability for any CIO. SIEM solutions can also generate reports needed for public sector compliance purposes, saving time, effort and expense on the part of the CSO.

Playing it safe

While it might not be possible for organisations to eliminate the possibility of data loss completely, by implementing a comprehensive security strategy incorporating SIEM solutions, the CSO, and therefore the CIO, will be better able to keep sensitive data secure and provide reassurance to the executive leadership that their business goals are also meeting their security needs. This, alongside clear guidelines for staff on data protection will secure an organisation from any potential data breaches that can damage an organisation, whether they are in the public or private sector.

Finally, security-aware CIOs must also remember that while tools and technology are important, the needs to continue to invest in security education must also be kept firmly on the agenda. Threats and tactics change. Emerging trends such as “Bring your own device”, cloud, and mobility complicate the way information is used and the awareness training of users must also stay current and relevant. Otherwise, the best monitoring tools in the world won’t help prevent the damaging, and sometimes painfully avoidable, breaches from continuing to happen.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

With over 20 years experience in the IT industry, Adam Evans has held influential positions in both large corporate organisations, and software security vendors. For the past 5 years, Adam has worked for NetIQ, a business unit of Attachmate. With a wealth of experience in Security and Compliance Management, Adam has specialised in working with organisations to help them meet internal, external and regulatory compliance mandates through effective use of technology. Adam also regularly meets with key UK enterprise customers to discuss latest security trends and security architectures in relation to the NetIQ portfolio and beyond.

  • Ian davin

    Adam, what you say makes sense, always start with risk, then policy, then tools. Security tools are about solving layers of risk but unless companies get the bigger picture they will always be chasing their tail.

    • Adam Evans

      Thanks for the positive feedback. As you say, it really is about the bigger picture where people, process and technology should be considered as a whole, as opposed to throwing technology at a problem and engaging a whole host of software vendors, who are only too happy to oblige with the latest must have technologies, such as the various flavours of cloud, big data etc. etc.