Whether you’re at a cybersecurity conference, participating in a webinar, or reading an article like this one, you are often bombarded with these catchy sayings regarding enterprise security: “It’s a team sport”; “It’s about tech, people, and process”; or “It’s not a tech issue, but a business issue.” Then you are told that you need a compliant information security program, along with an incident response plan, that is certifiable to any one of the NIST, COBIT, ISO, or other popular frameworks, so you can avoid the wrath of the regulators. Okay, all true, but what does that really mean?
To help clear things up, let’s look at what the National Institute of Standards and Technology (NIST) has to say. According to NIST, an information security program is a “formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.” NIST also recommends that you implement an incident response plan—“a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against an organization’s information systems.” The NIST then points out in its framework for improving critical infrastructure cybersecurity that there’s no one-size-fits-all approach to managing cybersecurity risk. Wait. What? Again, all true, but what does that really mean?
To best help you get a sense of what an enterprise security program really is and provide you with some key takeaways in developing and implementing one, I’ve pulled in the experts to provide you with their thoughts. Here’s what they had to say:
Kevin J. Burns, Chief Information Security Officer, Draper Labs:
The highest priority for any enterprise security program is that it aligns to the short and long-term business goals. It is immeasurably valuable to routinely (via an enterprise security board) include input from the business managers and line staff into security program technologies and processes. The enterprise security board truly drives adoption and ensures adherence to policies company-wide in so far as within the board, users, senior leadership, and decision makers are present and their input adopted, and then presented to the Board of Directors.
The program should be built upon a hybrid model of bottom up, bi-directional in the middle, and most importantly top down adoption. These collaborations are a major shift from the siloes that previously existed and necessitate a change in attitude. Only when all within the business have bought into the program does it become successful.
Etay Maor, Executive Security Advisor, IBM Security:
Your enterprise security program should not be a “check mark” on the auditors’ page. That approach trickles down and is manifested in the operational and tactical levels resulting in the minimum necessary investment in cybersecurity policies, procedures, tools, and training. For an effective enterprise security program, organizations should make cybersecurity a goal or a business differentiator and develop a cybersecurity culture on the strategic level that is then clearly represented in its program. Also, make sure your incident response teams are not just the technical/operational teams, you need legal, PR, R&D, DEVOPS, senior management, and the Board engaged. I personally think that the most important element of incident response is that the teams must be trained in simulated attacks so that when the time comes no rules or procedures are written on the fly; it’s all muscle memory. Train hard, fight easy!
Kevin L. Swindon, Corporate Vice President, Global Security, Charles River Labs:
With the on-going trend of the convergence of physical and IT security and the fact that organizations are facing complex blended threats, it is now imperative that organizations take a holistic approach to protecting their assets. This needs to concentrate on three critical areas: risk; compliance; and preparedness. A security program must always minimize the risk to the organization’s assets while ensuring compliance to both internal and external requirements such as local, state, federal and international regulators. A key factor in the success of any enterprise security program is the organization’s ability to respond to and mitigate a critical incident. To ensure the organizations readiness, they must continually test their ability to respond and make practicing their preparedness a part of the corporate culture.
Cheryl Davis, Managing Director, Cybersecurity, FTI Consulting—Washington, D.C:
An enterprise security program needs to take into account that cybersecurity is more than just an IT issue and recognize that cybersecurity risks impact the entire business. Thus, the first step in developing a program is having a thorough understanding of an organization’s critical data and assets. Overlaying on this the risk landscape—which is unique for each organization—will enable leadership to prioritize and tailor measures to enhance the resilience of such critical assets and data to threats and vulnerabilities. It is also critical to have a response plan in place prior to an incident. This plan should lay out the process for responding to an incident, include key stakeholders across the organization, and clearly state their roles, responsibilities and expectations during an incident. The plan should also identify thresholds for elevating decision making and when to engage third party expert support and law enforcement. In the heat of an incident response where there are so many moving parts—from the technical response, to determining if notifications to regulators or law enforcement is necessary or required, to releasing any public messaging—all stakeholders must be aware of their incident response responsibilities and be active participants.
Scott T. Lashway, Partner, Holland & Knight, LLP—Boston Office:
I believe cybersecurity risk lies at the intersection of humans, technology, and the law, and these circles represent the core aspects needing to be addressed by an effective security program. Although you cannot control exactly how all cyber risk is presented to your organization, you can, and you must, control and manage your response. It is critical, however, to align the security program to the organization’s (business) strategies and objectives; without doing so, the program can become an obstacle or can be ignored all together. Organizations should also seek legal advice as to all matters and risks presented by a security incident; from strategies and tactics of an investigation as well as compliance with the constantly growing morass of relevant laws and regulations, to seeing around every foreseeable corner to prepare for risks that have not yet materialized. You really need to begin preparing your defense from day 1 of any investigation and, with any luck, long before an incident develops.
Thanks to the above input from our contributing experts, you now have some clarity as to what it really means to have an effective enterprise security program. Most importantly, you should realize that cybersecurity is not just cool buzzwords and taglines or a check in the compliance box. Instead, cybersecurity is complex and something you should not try to learn and do on your own. Listen to the professionals. You won’t regret it!