This editorial product was produced by the SC editorial team and underwritten by Informatica.
It is part three of a three-part series.
When considering data security needs in the 21st century and beyond, bare-bones basics are still required, along with a few nimble inventive moves on the parts of IT security leaders. As well, the need to trumpet IT security must-haves that help protect data is still ever-present, but that doesn't mean that CISOs and the like should force the issue.
While security has gotten more attention from the executive-level suite in the last year or so – due to keystone organizations and retailers experiencing headline-grabbing data breaches – this awareness isn't necessarily leading to their mad embrace of what some industry pros may deem necessary security expenditures. Neither is it prompting CISOs and their teams to modify tactics to get immediate buy-in for security initiatives.
“I don't think I have seen things change too dramatically with regards to the voice of security,” says Ward Spangenberg, a member of Uber's information security team. “Sure, companies care about security, but, at the same time, if security slows the development and delivery of a product, security will be shelved.”
One steadfast strategy he employs and encourages others in his position to adopt: “I regularly approach security issues with the idea of implementing controls that are invisible to the user, or only minimally change their workflow. [It] doesn't matter who I'm working with within the company – the security solution cannot hamper delivery,” he explains. “Good security professionals should be practicing integration and look at how their security initiatives layer in with ongoing operations.”
Working such security controls into business practices is a key component of the “meta game of security,” agrees Becky Bace, chief strategist for the Center for Forensics, Information Technology and Security (CFITS) at the University of South Alabama. Pros would do well to balance “available resources between platform-centric and transaction-centric” operations to make that balancing act as dynamic as possible. For her, some of the key focus areas include the following:
- Strong identification and authentication are essential for the security health of your firm. Though we've been singing funeral dirges for passwords for at least a couple of decades, even fielding patches and compensatory measures to prop up classic mechanisms all that time, it's time to bite the bullet and move to stronger I&A for all systems handling corporate data. The size and breadth of losses associated with attacks readily thwarted by good I&A more than justify the cost. And, given the ubiquity of messaging systems (and well-hardened apps that protect the mobile endpoints,) we have a credible means of handling the additional factor(s) that are required for I&A.
- When it comes to non-IT end-user interactions with security mechanisms protecting your systems, make it simple or make it transparent. You'll have exception cases, but you're far better off engaging behavior blockers where needed (monitoring for attempts to circumvent such blockers), than asking users to go through arcane or complicated interactions with their IT systems in the name of security. In cases where special circumstances require you to violate this rule, invest in preparatory training for users and staff so that everyone knows what's expected of them – and what they might expect of you.
- Build your security staffs with balance in mind. One of the biggest mistakes I've seen security managers make in populating their security staffs is to fail to acknowledge the diversity of skills required to handle the work at hand. Staffers who are gifted hackers are rarely happy assigned more linear, orderly GRC tasks, while the best IT auditor may well be overwhelmed by incident handling, especially when the attack(s) in question are still underway. Both may be introverted and displeased with tasks that involve interacting with users or others critical to the security mission. Other staffing mistakes often made are to neglect funding ongoing training, especially critical for security professionals, and to fail to make an effort to diversify the makeup of the team.
- It's especially important, as more corporate assets are in purely digital form, and as those furthermore go to the cloud, that you and your security team understand how best to interact with state, local and international authorities who may have jurisdiction in security incidents. An investment in time and effort spent identifying the parties with which you are most likely to interact is a good one. The next steps involve scheduling some discussion time to identify how best to interact and in what circumstances each of you should contact the other. You may consider this a non-essential investment, but, as in the physical world, having a good relationship in place before it's exercised reduces the stressors for all involved. If you choose to outsource the entire incident-handling mission, this investment in interactions with the authorities should be an absolute requirement of anyone you select.
- If there's a single thing I think is inevitable in the road ahead it's that we'll find ourselves increasingly blurring the difference between "wetware" and "hardware" entities within our security domains. It will become increasingly important to have strong I&A for both human users and devices and systems. Furthermore, I&A of specific applications, processors, even autonomic devices, will be critical to both safety and security certifications and standards. As robotic devices become even more integral to our transportation, health care, energy and manufacturing infrastructures, security professionals will be charged with designing security policies and enforcement programs for them in addition to our users.
End-users, though, especially as cybercriminals increasingly target executives with spear phishing and other attacks, will continue to be a worry that helps drive how security controls are implemented across an organization, says Spangenberg. “The security leader has to realize that everyone will eventually get fooled and, for that reason, they need to build in multiple layers of support.” – SC editorial staff