The information Edward Snowden has published did not come as a surprise to many. However, it does shed light on what nation states are doing on the internet. Together with the continuous news concerning security attacks, it is long past time for organisations to rethink their security strategies.
Information is at risk – and organisations have to adequately protect their corporate information, especially the “crown jewels”.
Such “crown jewels” can contain intellectual property that forms the foundation of the competitive advantage an organisation has. It clearly contains information such as PII (personally identifiable information) that must be protected due to legal requirements. It contains the systems and information required to manage the production environment or, in more and more cases, the remotely manageable systems of customers.
But where to start? There are thousands of security solutions available on the market. All of them claim to address severe security threats. Admittedly, most of them really can, in fact, help improve information security. But just picking one of these solutions is not sufficient.
First of all, before making a security investment, you need a thorough understanding of the security risks. Who are the potential attackers? Which are the potential attack targets? How likely are attacks? And what will be the impact of successful attacks?
Understanding security risks
It is all about understanding security risks. Risk management is a well-established discipline in many organisations. However, many organisations only focus on what they define as business risks, including strategic, operational and reputational risks.
They ignore the fact that information security risks are business risks. They can greatly damage the reputation of organisations, for instance when customer data is leaked. They can cause massive operational problems, such as production downtime, compliance penalties, and the cost of getting systems up and running again. Information security risks can even turn out to be strategic risks, such as the potential for massive damage to brand reputation.
Information security done correctly requires that organisations do a security risk assessment. It also requires the organisational infrastructure for IT risk management to be tightly integrated with enterprise risk management. There need to be clearly defined organisational roles, accountabilities and responsibilities for IT risk management.
More on security risk
- Security Think Tank: Understanding risk key to security balance
- The security risk sweeping Europe
- Security Think Tank: Prism fallout could be worse than security risks
- Fiber optic networking: Assessing security risks
- Security Think Tank: Checklists are dead, long live risk-driven security
- Closing the gap between IT security risk management and business risk
- Communication key to risk management in security, says CISO
- Application security risks posed by open source Java frameworks
Identifying the biggest risks
As part of a security risk assessment, the most severe risks need to be identified. Severity is based on the probability and the impact. Based on such structured analysis, an action plan for information security can be developed. Within a structured risk analysis, some risks will show up that just cannot be prevented. In that case it is necessary to have a contingency plan that minimises the impact.
For other risks, it is about finding the right balance between investments for risk mitigation and the effect of these investments. In fact, this is very much the same as a decision about insurance contracts – in some cases, it is better to pay, in others it is better to take the risk. Security risk assessments help businesses make informed decisions about where to spend on risk mitigation and where to take the risk.
The second element of such an approach is about understanding how various elements of information security relate to and integrate with each other. First of all, security risk assessments done right help in gaining an understanding of whether a particular technology can help mitigate risks at all.
For example, if the most severe risks are for data stored in the cloud and accessed from mobile users directly via the internet, an investment in next-generation firewalls will not help in mitigating the risks, because the traffic will not pass through the firewalls.
Understanding the potential a technology has for risk mitigation thus is a mandatory step in a structured analysis of the information security programme. This brings us to the second aspect organisations have to consider: Point solutions are bad!
A layered security approach is needed
Security investments should always have a bigger picture in mind.
Doing a structured security risk assessment helps in building such a picture of a security architecture that is related to the existing risks. Based on that, a portfolio of organisational and technical actions can be defined in which the selected technologies work together to build a layered security infrastructure.
The worst thing that can be done is investing in point solutions in “panic mode”. Such point solutions are rarely good investments. Frequently, they are focused on symptoms, not causes.
A common symptom is that systems or networks are at the center of attention. However, it is the information itself that needs protection. Information flows, and it needs to be protected at rest, in motion and in use. So starting with information-centric solutions is the most promising approach, in contrast to system security and network security that can provide additional value – or just fail. Protecting information and the access to that information – which makes IAM (identity and access management) a central element of security strategies – is the key to successful risk mitigation.
Combining a well-thought out approach to the overall architecture for information security – the big picture – with a structured approach to security risk assessments helps organisations in optimising their IT security spending.
Martin Kuppinger is founder and principal analyst at KuppingerCole.
This was first published in July 2013