Embracing the business of security
I don't often read LinkedIn postings (I'm more of a Twitter chick), but lately I've been checking out a bit more what thoughts, advice or articles my connections are sharing through this social media platform. I have to admit, it appears I've been missing out a little.
For sure, it does seems, as one connection noted recently, that some individuals are posting more images or thoughts that really would be more fitting for, say, Facebook. I mean, most of the folks I know turn to LinkedIn as the platform to highlight professional achievements, showcase their thought leadership and connect with contacts – as opposed to sharing a personal issue or seeking a companion for date nights. But I'm getting off track a little already as there are more solid and beneficial work-related postings that popped up recently which gave me enough pause to discuss a few things with colleagues.
"You and your company likely already have undertaken steps..."
For example, Eric Cole, a longstanding information security player, had a few interesting comments, one of which all business leaders should really be considering now more than ever: “Pause and really think about this question: If your organization is currently compromised, how much confidence do you have in detecting it?”
Another query he posed: “Governance, metrics and oversights are critical for proper visibility – how mature is your security program?”
These questions really go hand-in-hand. The hope is that if you have a sound and thoroughly thought-out risk management and security strategy in place, you've accounted for all the controls and policies that go along with governance requirements and metrics that enable you to have a holistic view of your infrastructure. And, if you've done that right, one would assume you'd be able to know and go through pre-planned tactics in detecting and remediating a breach.
Yet I imagine the reality is there are few organizational leaders among us who would confidently stand up and say, “Of course we know when our network has been hit and we have both the long-term plans and the immediate steps down to deal with it effectively and efficiently.” One only needs to reflect on the bevy of advanced persistent threats and even more short-term and less surreptitious attacks that have proven successful for a range of cybercriminals lately.
Even if your company already has in place what you consider to be a sound plan, this regularly should be reviewed, along with the specific security controls that you've put in place across your network. How frequently is up to you, but just as corporate executives go through a periodic financial audit, so should they embrace one for security.
Of course, just the thought of going through those primary three phases of a check – discovery, testing and recommendations/remediations – clearly can be painful, but it also is seriously eye-opening and, ultimately, greatly beneficial to safeguarding intellectual property, customer data, partnership connections and more.
At this stage in the cybersecurity game, you and your company likely already have undertaken steps, like classifying the data that actually needs protecting and implementing various and sundry security controls leveraging the likes of NIST or ISO standards, for example. Ensuring that both the long- and short-term plans around these are up to date and still relevant – through an auditing or verification process – is just sound business in an age of rampant cybercrime.
And as part of that, some areas that may sometimes get overlooked must be included. Examining what risks your company executives are willing to accept and ensuring that these are clearly laid out and agreed on in your plans is one area that we hear sometimes gets short shrift. Another crucial one is having a pretty robust business continuity plan in place that accounts for the various roles you and other stakeholders play when effectively addressing the technical, policy and compliance components of a breach.
Ultimately, taking a methodical approach to security, risk and governance planning must be part of the foundation of every organization these days. Sure, regularly verifying these strategies and tactics and accounting for every aspect of what must be done both pre- and post-breach is arduous, but it's only then that you confidently can answer those very relevant and thought-provoking business questions posed on the likes of LinkedIn by security practitioners like Eric Cole.