[BreachExchange] Security Think Tank: Close interdisciplinary ties are key to security integration

Destry Winant destry at riskbasedsecurity.com
Tue Aug 6 10:17:06 EDT 2019


https://www.computerweekly.com/opinion/Security-Think-Tank-Close-interdisciplinary-ties-are-key-to-security-integration

Security, and specifically IT security, has for a long time been
viewed as a bottom-line cost and therefore something to be minimised.
But is it a bottom-line cost? Has a risk analysis of the company’s
business been done and did it take IT security into account? Has a
benefits analysis been done?

In a typical large enterprise, there is generally no argument over the
cost of the benefits packages given to senior sales staff. It is seen
as a cost of doing business. But these views are out of step with the
current reality where the internet has become the major highway
connecting companies to their customers and clients.

However, the very same internet is being stalked every minute of every
day by hackers, crackers, hacktivists and professional cyber
criminals.

Infosec is critically important, given that databases are increasingly
at the core of many business operations. What is held in these
databases is sensitive and critical data covering areas such as
personal details (staff, contractors, customers, subscribers),
financial information (accounts, budgets, salaries, sales and purchase
ledgers), asset information (hardware, software, licences, real
estate) and project data (resources, GANNT and PERT chart data,
budgets).

A company’s data architect, or database architect, needs to work
hand-in-glove with the company’s information security and IT
professionals to ensure that the data held in various databases is
protected to a level appropriate to an agreed risk profile, to ensure
that good levels of IT/cyber security are in place that support, but
do not hinder, business goals.

It goes without saying that an information security champion on a
company’s board will help immensely in achieving these goals, although
a board should also have a champion who has an understanding of
databases and virtualised computing (could be the same champion).

However, creating and maintaining close working relationships with
other areas of a company is vital because it should ensure that
projects – be they information security, database or IT Infrastructure
– are complementary to, and/or effectively support other groups,
projects or systems.

Some of those vital working relationships will include:

- The company’s business groups – they “own” the data.
- Development groups – they design and build the infrastructure and
systems that run a company.
- Operational management – they “run” the infrastructure and systems.
- Change management – changes are necessary and reviewed and approved
by infosec and other groups impacted by a change.
- Compliance – finance, regulatory, contractual and including the Data
Protection Act 2018 and the EU General Data Protection Regulation.
- Third-party IT service suppliers – Amazon Web Services, Azure,
Google and so on, application service suppliers, their partners and
others.

The close relationships between IT/cyber security and data architects
with the groups identified must ensure that security is fully enrolled
into any project at the very earliest stage of inception and is
included in the budgetary processes.

Databases, too, have often been implemented without a full and deep
understanding of the security implications. For example, if a web
front-end does not do an effective job of boundary checking of data
input from an end-user, a database could be subject to SQL injection
and other hacks.

For too long, IT/cyber security has been an afterthought and often an
expensive afterthought.


More information about the BreachExchange mailing list