When choosing what matters most, don't let compliance alone distract from keeping actual security risks as the top priority says Andrew Jutson
Compliance initiatives are repeatedly perceived as the shiny trinkets desired by senior management in the vast majority of corporates. However, those required to deliver these ornaments of compliance are typically the ones who are also required to improve security maturity – and the two don't always tally. It is common for security representatives to have a hard time gaining traction for wider security objectives, to the extent that their focus often shifts from holistic security aimed at ‘protecting what matters' (ie the most valuable and vulnerable information and systems), to prioritising compliance.
This can often leave an organisation blinkered by the item containing most pressure - rendering more important security initiatives to be ignored. A perfect example of this is PCI DSS compliance. Typically, attention and concentration centres on applying common security controls around only a subset of the operations within that company - those exposed to cardholder data. Whilst the rest of the company is left to continue blind to the realised information risks that come with day to day running of any business.
The outcome of this approach has been exposed by the now infamous Target hack. During the aftermath, Target was proclaimed to not be complaint with the PCI DSS standard, with the entry point exploited by the attackers rumoured to have been via a heating and cooling software third party. Whether Target was, is or will be compliant or whether the attacker's entry point was through a third party is irrelevant. The ‘bigger picture' is the attack demonstrates that the enterprise-wide focus was not on security. If it had been, such potentially precarious connections like third party access credentials would be identified and graded as part of an adopted framework to assess risk across the entire estate.
A compliance achievement can be like exhausting all your energy reaching The Everest Base Camp - with an almost overwhelming sense of relief, thinking the hard work is over, before the harsh realisation of the sheer size of the mountain left to climb to achieve a secure corporate posture.
Even though there has been an increase in maturity across all industries with regards to compliance objectives, in my professional experience I've only seen a small amount realise the need to assess corporate risk at the highest level. Furthermore, I have seen an even smaller amount cascade a ‘top down' acknowledgment and understanding of security to include security requirements as a framework to reduce risk, rather than creating the focus on the decorative elements of securing a business.
What I am alluding to here is not a new concept; it is just a more objective view of how security controls can be successfully applied. Effective information security and its associated controls are attributes of an information assurance programme that is a conclusive representation of the risk throughout the business. It is only by approaching the business risk from this perspective that appropriate countermeasures can be financially considered and applied accordingly.
The real hard work is to embed a corporate approach to information assurance focused on corporate risk. Here's where we need to change hearts and minds. The Board of a FSTE 500 retailer may be well versed in food safety, distribution centre, competitor and economic risks, but information and cyber risks are alien and intangible by comparison.
To try and contextualise this, a recent UK Government surveys suggest that board acceptance of cyber risks is high (81 percent of respondents). However, 45 percent reported that cyber risk wasn't presented to the board in previous years or, at worst, never. This exposes a significant misalignment of reporting and even understanding - it highlights that cyber risk is a board item, but not recognised as a corporate risk item.
With online and operational habits of users, consumers, partners and hackers changing every day, there is a pressing need for modern businesses to be prepared to respond to their environments. However, how are modern businesses expected to respond effectively to something they currently don't know or understand as a corporate risk? Gaining a perspective of the risk to the corporate would at least provide a foundation for conversations around where issues exist and enable maturity to the point where the risk is financially realised and understood.
Some points presented in this article could strike as an unreachable panacea or some form of elixir to the CISOs and Security Managers out there. In a corporate that places operational risk on the same peg as a cyber-risk, I would say they're still battling for Base Camp or adorning baubles. However, redressing the security focus and presenting financially representable risk to the board would see a shift in the focus begin to take place for the better – this is the approach to the Khumbu Icefall.
Contributed by Andrew Jutson, Senior Risk Consultant, IRM plc