When businesses address their security, compliance and risk management, the first hard step is understanding where to begin. This is indeed a massive task.
CISOs, for example, have a finite group of people, software, and hardware to deploy – not just to detect malicious actors who probe the networks for weaknesses 24 hours a day but also to assist in meeting all the compliance and regulatory obligations of the company. In addition, the security staff must also serve the role of internal advisors to departments deploying applications and information technology infrastructure across the enterprise.
For this reason, organizations may take advantage of third-party partners or managed security service providers who can contribute to a portion of these tasks but, at the end of the day, that organization is still responsible for the success of protecting its people, assets, and data.
So where do businesses begin?
The first step is to understand what it is that we are protecting. This may include sensitive data, such as credit card accounts, health records, banking information, or personal identity data that needs to be protected. We may need to protect intellectual property, such as the formulary for a new medicine. Or we may need to provide physical protection for our employees and assets. In many cases, what we are protecting includes all the above. Combined, these protected assets establish our baseline of risk. What are the factors that may put these data and people at risk? Is our security model sufficiently well developed to detect malicious activity, and how do we stop it? Most importantly, how do we prevent future activity by malicious actors?
There are many ways to model the security and compliance risks that companies regularly face. A simple approach is to use a formulaic model measuring the probability of a risk occurring, along with an estimate of the probable loss should an asset be compromised. But let’s face it—it’s quite difficult to accurately estimate either one of these factors. There are applications and third parties that can assist in building more complex risk models, but what we are looking for are direct factors that present an imminent risk to our operations, our people and our data.
While you could look for the next best security apparatus to reduce your risk, for many organizations, simply ensuring they have implemented good security hygiene – a term you may have seen used often during Cyber Security Month in October – will go a long way in reducing the risk presented to the company. There are many factors that can contribute to good security hygiene, but security practices that are top-of-mind should include:
- Vulnerability assessment
- Penetration testing
- Two-factor authentication
- Reducing authorization to a minimum number of people
- Addressing application security
- Deploying anti-virus software and end-point agents
- Reviewing logs
- Ongoing security awareness training
- Encryption of sensitive information
Meeting compliance obligations complements securing the corporation. Many compliance frameworks were designed to provide minimum practices to protect the security and privacy of the data being held by the company. As with security, however, it can be difficult to know how to address multiple compliance obligations effectively. Some companies may need to meet HIPAA requirements, PCI requirements, ISO 27001/2 or Gramm-Leach-Bliley (GLBA) requirements. Some may need to meet all the above, as well as additional ones.
One approach that I have used successfully is to subscribe to a product that references multiple compliance frameworks and regulations – a Governance, Risk and Compliance tool (GRC). Authority documents for the various compliance obligations are mapped through the Unified Compliance Framework (UCF) and the compliance status is viewed in a dashboard. This simplifies understanding the state of compliance. These GRC tools integrate security, risk and compliance into a package that establishes a unified view of your current state of resiliency. You can focus on shoring up the weak areas of security and compliance that present the greatest risk. This provides businesses, and in particular the CISO, with a tool to maximize the effectiveness of the staff, software and hardware deployed to protect the enterprise.