[BreachExchange] No more excuses: cyber security must be a C-suite priority

[Audrey McNeil]

http://www.continuitycentral.com/index.php/news/technology/
1346-no-more-excuses-cyber-security-must-be-a-c-suite-priority

Digital technology has fundamentally changed business practice over the
past decade. Cloud based applications dominate, workers routinely access
corporate information remotely via smart phones and access to the corporate
network increasingly includes supply chain members, contractors and part
time workers. Yet cyber security has failed to keep up: and some of the
responsibility has to lie with the C-suite.

Why are cyber security experts not involved from day one in every strategic
decision? Why are businesses still expecting the security team to take
responsibility yet leaving deployment in the hands of multiple departments,
from application development onwards? It is time to address the fragmented,
outdated, reactive attitudes to cyber security that still dominate.

While it is hard to imagine a new business initiative or strategic
development that is not IT driven, only 45 percent of boards participate in
overall security strategy. Yet not only is technology underpinning every
aspect of business, the increasingly fluid and agile way in which
businesses now operate has fundamentally changed the threat landscape, most
notably by massively expanding the attack surface. The number of
applications now being used by a huge and diverse user base, both within
and outside the organization, across personal smartphones, in the cloud
and, of course, IoT devices, has created a level of risk never before
encountered. Each one of those users or end-points becomes a target, a
point of potential vulnerability. Just consider that one hacked company can
compromise the operations of every business along an entire supply chain.
Or a single contractor who is compromised by an attack can become the
stepping-stone into the heart of your company. Cyber security practices
clearly have not kept up with this exploded attack surface, the near daily
exposure of breaches confirms.

The implications of this lack of senior level participation in cyber
security strategies are tangible.  First of all, security is reactive, with
experts consulted after strategic business decisions have been taken and IT
deployments rolled out – leaving gaping holes in the security plan that
simply cannot be effectively filled retrospectively. Secondly,
responsibility for security is not centralised but fragmented across
multiple silos – from application developers to network teams and those
responsible for remote access or end-point protection.

The result is that while security may be tasked with safeguarding the
business, achieving that objective can require interfacing with up to eight
different groups: all of which are focused on their own areas of
responsibility, rather than security. In some cases, security is not the
overriding, top priority of these teams, who are focused instead on
application or network performance and other fundamental functions. Even
then, security procedures and tools are implemented piecemeal, creating a
fragmented and confused picture across the organization.

While security remains a secondary business consideration and security
teams lack central control, the corporate risks will continue to rise.

Best practice in cyber security

The difference between those organizations that have a top-level commitment
to security and the rest is stark. The best practice approach ensures that
security is considered, evaluated and incorporated into the planning stages
of every corporate strategy – not addressed after the fact. Furthermore, a
dedicated security team – preferably led by a chief information security
officer (CISO) – has full, centralised control over policy and
implementation enabling the business to achieve uniform security across the
entire enterprise, rather than the fragmented, even contradictory solutions
often deployed on a departmental basis.

Critically, with security people involved in the planning stage from day
one, the company can ensure best security practices are baked in to the
project from the outset: and that best practice cyber technologies can be
embraced to both improve defence and drive business value.

For example, replacing a traditional – and vulnerable – rigid firewall with
a software-defined perimeter that is far more fluid enables a business to
remain secure despite constant operational change. A software-defined
perimeter that is disconnected from the infrastructure can drastically
simplify the complexities of adding or removing cloud applications, or
granting mobile access for a specific set of workers.  Similarly, the
adoption of software-defined wide area networks (SDWAN) enables
organizations to securely embrace the lower cost cloud computing model
while maintaining every aspect of the security posture – from policies to
encryption.

Essentially, with a centralised approach and a security strategy aligned
with business direction, organizations can move away from outdated thinking
about securing the perimeter. Simply put, security can no longer be about
managing devices and networks. It must instead be focused on managing users
and applications, and tightly aligned with the business objectives
associated with both. For example, role-based access control can enable an
enterprise to consistently enforce policies across the range of users and
applications, directly aligning that critical security function of remote
access with the overarching business objectives.

The most effective approach enforces these policies in the actual access
control process itself, building on existing policies for user access and
identity management. Then, when access is to be granted, the application
traffic is protected by cryptographic segmentation that prevents it from
being accessed by the non-permitted users.

This approach has the added benefit of blocking unauthorised lateral
movement, which is the hallmark of modern data breach vectors. If all
applications are protected by real-time role-based access control, and if
all user access is limited to only what a user needs to do their jobs, then
the compromise of one user does not grant access to everything. Lateral
movement is constrained and the breach is contained.

Organizations that embed this software-defined model within strategic
planning not only minimise risk but also support business innovation.
Consider a company looking to deploy a new application to its workers that
will increase productivity by 40 percent. Roll that out to the 50 percent
of staff that work at HQ and the benefits are clear; but build in security
planning from day one and that application can be securely extended to
mobile workers on their smart phones and part time contractors: suddenly
the 40 percent productivity gain is massively extended, boosting
performance and delivering ROI for the application itself far, far quicker.

Conclusion

When every business decision has a technology implication, cyber security
clearly needs to be led from the top; it must be organization-wide rather
than silo-focused; centralised and consistent. Done well, security is not
simply a defensive strategy, but an enabler of better enterprise
performance: and those organizations with a C-suite that prioritises cyber
security are not only in a far better position to minimise risk but also
well placed to drive tangible business value.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160819/acc88a62/attachment.html>