As cliché as the saying is, it is quite true that we live in a global world. It’s not uncommon for a large enterprise to operate in 100 countries or more. Many of us routinely work together with and collaborate with people across several continents. As businesses have gone global, their respective security operations programs need to be global as well.
As obvious as this statement may sound, taking a security operations program global is something deeply challenging for many organizations. More often than not, information security efforts and resources tend to be concentrated more heavily around the organization’s home country and region. Theories abound as to why, but in practice, going global with security involves many intricate and complex details. I’d like to discuss a few points to consider when going global with security operations in this piece. Though far from exhaustive, I hope it will be helpful for the reader.
Visibility
Whether a business grows organically, through investments, or via mergers and acquisitions (M&A), it can be difficult for the security team to keep up. One of the biggest challenges that comes along with business growth is maintaining proper visibility across the enterprise to support security operations. Some important questions to consider are:
• Is there a good relationship between the business side and the security side to keep abreast of business expansion?
• Can I leverage my business relationships to keep tabs on new information technology assets?
• Do I know what my network looks like?
• Do I know how many ingress/egress points I have and where they are?
• Do I have sufficient logging and alerting at each point of presence?
• Is my intelligence sourced in a geographically diverse manner, or is it primarily sourced from one geographic location?
People
People always play an important role in the security operations picture, but particularly in a global world. With people and assets spanning the globe, having the right people, not only within the security team, but also across the various different locales becomes extremely important. Some relevant questions include:
• Do I have the necessary relationships with the appropriate local IT staff for containment, remediation, and other needs?
• Am I aware of local laws and regulations governing data protection, privacy, and/or getting equipment in and out of local facilities?
• Do I have the appropriate human resources to scale to 24×7 coverage (whether centralized or decentralized)?
• Does the team have the skills and expertise required to successfully monitor a geographically diverse enterprise?
Process
Process is the glue that holds people and technology together within a security operations environment. Process helps to bring order to the chaos and maximize the efficiency of available resources, both human and machine. As the business grows, so does the importance of process. Here are a few points to consider:
• Do I understand the risks and threats unique to each geographic area?
• Can I develop the appropriate alerting aligned to the risks and threats faced by each geographic area?
• Do I have the ability to trace events back to individual endpoints and users at all locations?
• Am I able to perform incident response and forensics at all locations?
• Do I have the ability to contain and remediate at all locations?
• Am I devoting proportionate attention to all sites around the world?
Technology
Of course, without technology, people and process cannot function effectively. Going global as a business means going global with security technology as well. If there are information technology assets and/or sensitive data in a location, there needs to be security at that location as well. Interesting ideas to consider are:
• Have I covered all ingress/egress sites and all points of presence on the network?
• Do I have a consistent security technology stack to ensure people can maintain proficiency and that operations and maintenance (O&M) is simplified?
• Do I have the ability to ensure uptime and reliability of the security stack in all locations?
• Do I have consistent controls across the network and endpoints?
• Am I able to log and alert as necessary at all locations?
Workflow
As we know, people, process, and technology work together and flow directly into the security operations workflow. Globalization can introduce complexities into this workflow that can impede the maturity of a security program. Here are a few points to consider regarding that:
• Do I have the ability to provide security operations 24×7?
• If I use a follow-the-sun model, do I have the ability to recruit, train, and retain the necessary talent across different geographic locations?
• Can I ensure smooth handoffs between shifts?
• Do I have the right tools to manage a round-the-clock, geographically diverse operation?
• Can I perform handoffs to local IT teams for containment and remediation?
Communication
As with any business function, communication is an integral part of a successful security operations function. Good communication is difficult to achieve on a local or national scale, and on a global scale, it is extremely difficult. Some thoughts to consider, while certainly not exhaustive, are:
• Can I manage policy, process, and communications across multiple languages and cultures?
• Will I be able to communicate effectively with local resources?
• Will the necessary training and documentation be accessible across geographically diverse locations and localized for specific languages as necessary?
Although home is where the heart is, it’s important to remember not to devote the overwhelming percentage of security resources to your home geographic area if that’s not where the overwhelming amount of your business and its assets are located. Although challenging, taking security operations global is the new normal for the 21st century enterprise. While far from an exhaustive guide to taking security operations global, hopefully this piece has been able to highlight some points to consider for the global security operation.