When Devising a Security Strategy that will Work for Your Organization or Industry, you Must Start with the Concept of Value...
Securing an enterprise’s data can be an overwhelming task and sometimes it’s easy to lose sight of the forest through the trees. We get so caught up in the sheer volume of information and trying to ensure that every possible threat is mitigated that we often set ourselves up for failure. In my opinion, one of the biggest inhibitors to securing an organization’s most critical information is treating all data as if it had the same value.
We have witnessed some very public and embarrassing examples of late in the government sector that highlight that all data is not the same. These situations have also shown the damage that can be caused when an organization’s most sensitive information is made public through a failure of security or process. Last week’s sentencing of Pfc. Bradley Manning was the latest, but certainly not the only, case of high- profile damage resulting from a leak of classified information. The Edward Snowden case continues to dominate the headlines and has turned a case of an insider threat into an international incident, pitting two of the world’s global powers against one another. And in another well-documented case, former Central Intelligence Agency officer John Kiriakou is now serving a sentence of 30-months for sharing classified information with a reporter. This list will continue to grow.
What do these examples tell us? Mainly that somewhere along the line there was a security breakdown in either systems or protocol that allowed the most sensitive of material to be shared outside the organization. And while no organization wants to suffer a breach or loss of information, the reality is, it’s going to happen. With that in mind, anyone charged with security should continuously be asking themselves, what information do we have that would A) be most attractive for a hacker to steal? and B) would cause the greatest harm to the business if it were compromised? These two questions form the basis of what we call “predictive security” and should be at the core of every organization’s security strategy.
Understanding that enterprise organizations can be complex and that it may be impossible for a single security officer to have the required insight into all the process to effectively answer these questions speaks to the need for process. Security, in order to be successful, must be a top down proposition. Just as the executive team puts business plans in place for growing the business and achieving market share, they must also play an active role in determining security strategy. While I don’t advocate that technical decisions be made in the C-suite, I do advise them to determine what constitutes the biggest threats to the organization and then empower the security experts to take the necessary steps to combat them.
In order to be successful in security, the process must be part of an organizational approach. As I referenced in a previous SecurityWeek column, everyone is a security manager: If I have learned anything over two-plus decades in this industry, it’s that you can’t leave security as the sole domain of just a few and expect to be successful. As threats and vulnerabilities continue to evolve, it is incumbent upon organizations to empower all of their employees to take an active role in their own network security. There are still too many who mistakenly view security as a point-in-time activity rather than a process, leading to a breakdown in the level of vigilance needed in order to create an effective security culture.
The intent of this message is that while technical decisions are the responsibility of the security team, employee behavior, identifying risky procedures and activities, and creating an environment that takes security seriously, is the responsibility of everyone. As the examples above highlight, security is not simply a piece of technology that can be plugged into the network, but a commitment and process that must be instilled into the corporate culture.
When devising a security strategy that will work for your particular organization or industry, you must start with the concept of value. While it would be nice to be able to secure every bit of data or information on your network, practically speaking, that is a nearly impossible task. By focusing your attention and budget largely on the information that holds intrinsic value to your organization you can build a security protocol to protect it.
Security can sometimes be a series of tradeoffs to ensure you protect the most vital of assets or “high-value” target and that you are properly balancing risk versus business operations. A good analogy would be travel. Why are you subjected to much greater scrutiny and security when you travel by air as opposed to train or bus? Because of the risk involved and the perceived value of the threat. Think of this example when it comes to your own strategy - Corporate IP is the equivalent to airport security whereas office supply lists and holiday card distribution resides in the bus terminal.
Related Reading: What is YOUR Cool Data? DIY Business Impact Analysis