In our last instalment, we talked about how the specific details of your strategy should be governed by your business. This is a key element of a security strategy that addresses the root causes of the risks your organisation might face.
Another such key element is to increase the scope of security beyond IT to the entirety of the business. This is because security that doesn’t cover the whole business - root causes or not - isn't much better than no security at all.
It is my personal experience that security functions typically have some limited control over what happens in IT, and a level of unenforced guidance over Engineering or similar technical departments. However, they often have little to no control over the rest of the business.
The problem is not just that security doesn’t have the needed influence, it’s that there’s often little awareness too.
This is a problem because not all breaches happen in the core IT function or systems. In fact, I believe the ratio of breaches that are initiated outside of the IT department is increasing. That means that many IT security functions are blind to the issues increasingly likely to hurt their organisations.
Take the recent MGM breach, where a service desk handed out a (presumably) privileged account to a malicious individual. This is clearly a high-risk area, but how many security functions go through their company’s service desk workflows to assess risks and implement controls for this type of activity?
Another recent example is the PSNI (Police Service of Northern Ireland) breach where sensitive information on thousands of officers was leaked due simply to raw data being left in the tab of a spreadsheet. A department handling Freedom of Information requests is likely to process all kinds of sensitive and protected information and mistakes happen. But how many security functions have actively gone through those processes and made sure there were controls to ensure any releases were validated?
One I particularly liked was an Uber data breach in the United States where a third-party law firm that held all their driver data was compromised. The kicker was that the Uber legal department was faxing these records over. In other words, it is extraordinarily unlikely any kind of Data Discovery or Data Leakage protection solution would have caught it, even if it were in place. This highlights why first-hand knowledge of business processes is important.
More recently, when speaking to a customer’s infrastructure department, we discovered that a facilities maintenance firm had a direct connection into their internal network to monitor certain mechanical systems. This completely bypassed several firewalls and access controls unbeknownst to the security department. Millions in annual security spending were potentially circumvented due to this lack of internal knowledge.
These cases highlight the importance of security getting involved in overall business processes and not just IT. Otherwise, as many companies are finding out, the entire security investment can often simply be side-stepped.
This is why I believe that the primary goal of a security programme (we just launched a whole series on how to build one, check it out!) should be to go through all business processes, including IT, and define ‘what good looks like’.
This is critical because, historically, we have largely ignored sources of security vulnerability in other departments outside the tech silo.
To recap, a security transformation to a state of more inherent security for our organisation can be achieved by applying the following two main principles:
- Moving security far further left in its approach, so it addresses root cause as a quality function rather than fighting symptoms as an operational function. Essentially, stopping vulnerabilities from being introduced in the first place.
(We are not counting vulnerabilities that should be covered/remediated by an operational process, such as patching. These should be automatic if processes are truly mature.)
- Broadening security by bringing it into all areas of the business and their associated processes. This is to ensure we have no hidden areas of exposure or risk, and that we are able to apply the principles in point 1 to all areas of the business as needed.
These two elements work together to diminish the risk the whole organisation produces in the first place. It is what we’ve tag-lined as “Do less cybersecurity, do more business securely.” It also increases the cohesion and effectiveness of the security operations, thus covering any residual risk.
You end up with cumulatively fewer incidents to deal with, and better detection and response rates on what is left.
Join us for our next instalment, where we explore how this different way of approaching security doesn’t just continuously improve our organisation’s security posture, but also generates additional business benefits that can help security teams gain invaluable traction with the business.
Contributors
-
Greg Van Der Gaast
Security Advisor to CDW