Every so often I see interesting new products from network and security vendors, which provide innovative answers to particular security issues. When a security product receives a positive reaction from a customer, they are often found to have to build a case for its inclusion in their budget. The thought process can often be: “Here's a good product, can I justify the budget and deploy it into my environment?”
This seems very different from routing and switching where customers often have a planned strategy and budget to increase capacity and performance.
Return on investment
Justification for a planned capacity or performance upgrade is relatively simple if you factor in the potential return on increased revenues or productivity. This “speculate to accumulate” approach is pretty much the opposite for security planning.
This is starting to change as more businesses insure against breach and loss. As more companies look at insuring against loss, there is a direct and immediate link between the insurance premium, maximum indemnity and the security posture of an organisation. We have reached a point where we can more easily demonstrate that an improved security posture can deliver a return on investment.
From the top
Ultimately, the CEO is responsible and information security sits on the risk register with all the other high-level considerations such as physical theft, service availability and staffing etc. When dealing with the likelihood of a breach, the questions should be:
1. 1. What are the threats facing the business?
2. 2. How comprehensive is the security strategy in dealing with and preventing these risks?
The immediate technical/physical impact of a breach can be determined as hard fact but the knowledge that customer data has been exfiltrated has greater implications. The eventual cost of reputational damage and customer shift are far more subjective, but the certain pain of those factors should be clear enough to ask:
1. 1. What are the potential immediate financial costs of a breach?
2. 2. What are the long-term financial costs from information and reputation losses?
The responses to these questions may well justify the expense and effort of a comprehensive security audit to develop a security plan.
The security risk management framework
Depending on the size of the organisation, responsibility for developing and implementing the security strategy might fall to the one IT head or the CISO. Either way, the security strategy will vary greatly not just with company size but with the nature of the business.
There are several options for companies looking to adopt a formal risk management approach and many organisations use the ISO/IEC 27001:2013 standard both as a framework for risk management and a formal accreditation. There are alternatives for security accreditation including the government backed Cyber-Security Essentials scheme.
The key requirement is to investigate and fully understand the big three issues:
1. 1. What are the key assets?
2. 2. What are the vulnerabilities?
3. 3. What are the threats?
Once you have answered those questions, you can begin to define a security strategy making the best use of the resources at hand.
The security strategy
The comprehensive risk assessment should identify the overall security posture of the organisation and identify the greatest areas of concern. At this point, the top down strategy can begin with direction from C-level on the budget, scope and priorities for the organisation's security strategy.
The security strategy should identify business priorities, the intended security position the organisation wishes to achieve at a given point, and the way in which that should be achieved.
The security plan
The goal of the security plan is to achieve the aims of the security strategy and provide the most effective risk mitigation with the given resources. With as many as possible of the risks identified and prioritised, the security plan defines how each risk is mitigated. Against each asset and the relevant vulnerabilities, control measures and mitigation techniques are planned for implementation and periodic review.
It is a given that total security is simply not possible, so the aim of an organisation should simply be to present a harder target which is ultimately more expensive to breach.
Too much emphasis on one area to the detriment of another leaves an organisation just as exposed, with the risk shifted to a different part of the attack surface. To maximise the effectiveness of the budget and resources, security operations and investment should ideally be done within the scope of a security plan.
At this point, when evaluating a range of technology options, it is simpler to match the value of a particular product or solution against the requirements of the security plan. If the value is there, the business case is already half made. If you are looking at using a large part of the budget on a new platform, coverage of a major part of the security plan may provide a better justification than “it's a great logging platform!”
Cyber-Risk in 10 Critical Areas
Cyber Essentials Scheme
Cert Best Practices
Guide for developing security plans
Cyber-Security Planning Guide
ISO 27001 information
Contributed by Will Embrey, solutions architect, Hardware Solutions