It has been suggested that you could define modern security with four words beginning with C: cloud, consumerisation, collaboration and cyber crime.
After all, they do summarise the main talking points for most people I encounter, though thankfully only one at a time. But could you pick a different letter? A recent report from Thales, which aimed to be a practical guide for companies to assess their cyber-security strategy, suggested that it could be the letter S – and no, we are not talking about sun, sea, sand and surfing.
OK, I am cheating to create a trend because Thales's S denotes ‘secure' – its guide suggested that to help audit their cyber-security risk, businesses should secure: information; people; communications; and infrastructure.
Thales said that these four are the main areas of cyber security addressed by best-practice organisations. It advised organisations, which wish to mitigate the risk posed by increasingly large-scale, sophisticated cyber attacks, to ensure that they are allocating their investment in cyber security appropriately and not over-protecting non-sensitive data or under-protecting business-critical data.
On securing information, it recommended conducting an information audit to categorise information by value, reviewing the governance of information security and considering the impact of the organisation's culture on information security.
To secure people, it claimed that organisations often focus on providing staff with procedures and guidelines on their responsibilities to keep the organisation secure. It encouraged businesses to ensure that they are well-versed on the relevant legislative conditions that they should operate within, roll out identity-based access to information to ensure that people only access data they are authorised to view, and audit how personal IT is regulated in the workplace; and, for home workers, to ensure that staff and the organisation are protected.
For communications, Thales recommended this be underpinned by policy and procedures, by communicating the cyber-security strategy and information audit in a secure manner and investing in enterprise encryption to mitigate the risk of IP theft and data loss.
Finally, for a secure infrastructure, it recommended conducting an audit of service providers and measuring their security, reviewing service-level agreements, monitoring critical networks and reviewing information storage security.
Ross Parsell, director of cyber strategy at Thales UK, said: “Our report identifies what CIOs and security professionals should be thinking about when assessing the sophistication and effectiveness of their organisation's cyber-security strategy.
“We have developed this guide in response to the very sizeable and tangible cyber-crime threat facing businesses in 2012. We hope those with the heavy burden of developing and executing cyber-security strategies will be able to use this framework to stress-test cyber security measures which may already be in place across the business.”
If only life was as easy to be pigeonholed into four areas. Well, it isn't, but sometimes it takes a breakdown such as this to realise that the challenges are more contained than they seem.