[BreachExchange] Placing cyber security at the top of the boardroom agenda

[Audrey McNeil]

http://www.information-age.com/technology/security/123461916/placing-cyber-
security-top-boardroom-agenda


It’s safe to say that the evolution of digital technology has truly changed
modern business practice.

>From BYOD initiatives, remote working, and cloud based applications, to the
growth of the corporate network to include supply chain members,
contractors and part time workers, there are now many aspects of a network
for hackers to choose from.

The problem is, these changes in how businesses operate are not being
mirrored in changes to cyber security.

Cyber security experts are still not involved from day one in strategic
decision.

Businesses still expect the security team to take responsibility yet leave
deployment in the hands of multiple departments.

It is time to address the fragmented, outdated, reactive attitudes to cyber
security that still dominate today. By failing to embrace security
expertise and innovation up front, businesses are incurring far too much
risk.

C-suite should put cyber security at the top of the boardroom agenda.

Keeping up with the exploding attack surface

The increasingly fluid and agile way in which businesses now operate has
fundamentally changed the threat landscape, creating a much bigger attack
surface.

The number of applications now being used by a huge and diverse user base,
both within and outside the organisation, across personal smartphones, in
the cloud and, of course, IoT devices, has created a level of risk never
before encountered.

Just consider that one hacked company can compromise the operations of
every business along an entire supply chain, or a single contractor who is
compromised by an attack can become the steppingstone into the heart of
your company.

The near daily exposure of breaches confirms that cyber security practices
clearly have not kept up with this exploding attack surface.

The implications of this lack of senior level participation in cyber
security strategies are tangible.

First of all, security is reactive, with experts consulted after strategic
business decisions have been taken and IT deployments rolled out – leaving
gaping holes in the security plan that simply cannot be effectively filled
retrospectively.

Second, responsibility for security is not centralised but fragmented
across multiple silos – from application developers to network teams and
those responsible for remote access or end-point protection.

The result is that while security may be tasked with safeguarding the
business, achieving that objective can require interfacing with up to eight
different groups – all of which are focused on their own areas of
responsibility, rather than security.

In some cases security is not the overriding, top priority of these teams,
who are focused instead on application or network performance and other
fundamental functions.

Even then security procedures and tools are implemented piecemeal, creating
a fragmented and confused picture across the organisation.

While security remains a secondary business consideration and security
teams lack central control, the corporate risks will continue to rise.

Improving defences and driving business value

The difference between those organisations that have a top-level commitment
to security and the rest is stark.

The best practice approach ensures security is considered, evaluated and
incorporated into the planning stages of every corporate strategy – not
addressed after the fact.

Furthermore, a dedicated security team – preferably led by a chief
information security officer (CISO) – has full, centralised control over
policy and implementation enabling the business to achieve uniform security
across the entire enterprise, rather than the fragmented, even
contradictory solutions often deployed on a departmental basis.

Critically, with security people involved in the planning stage from day
one, the company can ensure best security practices are baked into the
project from the outset – and that best practice cyber technologies can be
embraced to both improve defence and drive business value.

Software-Defined Model

Replacing a traditional – and vulnerable – rigid firewall with a
software-defined perimeter that is far more fluid enables a business to
remain secure despite constant operational change.

A software-defined perimeter that is disconnected from the infrastructure
can drastically simplify the complexities of adding or removing cloud
applications, or granting mobile access for a specific set of workers.

Organisations need to move away from outdated thinking about securing the
perimeter.

Simply put, security can no longer be about managing devices and networks.
It must instead be focused on managing users and applications, and tightly
aligned with the business objectives associated with both.

For example, role-based access control can enable an enterprise to
consistently enforce policies across the range of users and applications,
directly aligning that critical security function of remote access with the
overarching business objectives.

This approach has the added benefit of blocking unauthorised lateral
movement, which is the hallmark of modern data breach vectors.

If all applications are protected by real-time role-based access control,
and if all user access is limited to only what a user needs to do their
jobs, then the compromise of one user does not grant access to everything.
Lateral movement is constrained and the breach is contained.

Organisations that embed this software-defined model within strategic
planning not only minimise risk but also support business innovation.

Consider a company looking to deploy a new application to its workers that
will increase productivity by 40%. Roll that out to the 50% of staff that
work at HQ and the benefits are clear; but build in security planning from
day one and that application can be securely extended to mobile workers on
their smart phones and part time contractors – suddenly the 40%
productivity gain is massively extended, boosting performance and
delivering ROI for the application itself far, far quicker.

Conclusion

Cyber security needs to be led from the top.

When security is done well, it is not only a defensive strategy, but it
enables better enterprise performance.

Those organisations with a C-suite that prioritises cyber security are not
only in a far better position to minimise risk but also well placed to
drive tangible business value.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160824/87a7c9e7/attachment.html>