Security puzzle calls for some joined-up thinking
The age of digitisation brings new risks to organisations, so security needs to be more integrated
As the technology revolution rolls on, organisations around the world are starting to see the benefits of greater and greater levels of interconnectivity. Digitisation initiatives are aimed at tackling bottlenecks in business processes, bridging the air gaps that have existed between traditionally disconnected processes, and enabling information to flow freely, both across silos within the same organisation and to and from external partners.
In a series of Computer Weekly Security Think Tank articles, a panel of experts discussed how, in the age of digitisation, there are new risks so security needs to be more integrated.
As Sandeep Godbole, past president of ISACA Pune Chapter, points out, the adoption of technology has exposed modern organisations to the contrast presented by technology – the opportunities on one side and the risks of the connected world on the other.
These opportunities and risks affect the organisations in diverse ways, he says. Some have operational impacts, while others may have strategic impacts. “Good governance requires that opportunities and risks having a profound impact on organisations be monitored and the required actions be taken,” says Godbole. “Embracing the opportunities may require setting up the enablers, including organisational structures, technology capabilities, building human capital and supporting the change.”
Addressing the risks requires the implementation of appropriate security controls, tools and processes that mitigate the risks, says Godbole. “Since the connected world enabled by technology presents organisations with risks and opportunities, appropriate security measures play a key role in modern organisations. Addressing risks and providing adequate protection enables organisations to leverage technology. Security, therefore, plays a role of an enabler in organisational strategy.”
Recent research from Ovum found that organisations’ approaches to handling and addressing digital risk vary wildly. Ovum research director Maxine Holt says: “Handling new risks is a consequence of expanding digitisation. The need and ability to manage risk does not cease at an organisation’s boundaries in this increasingly connected world.”
Holt warns that ignoring or preventing the opportunities presented by digital transformation is not a practical option for information security functions. She believes digital risk is an “essential” inasmuch as the organisation must take risks if it is to move forward. Holt explains: “The most risk-averse organisation could avoid digital transformation but simultaneously is likely to lose the edge on its competition or provide a poorer service to citizens.”
For an organisation to be sufficiently effective and efficient, Holt says it needs to be able to discover, manage and mitigate digital risk. This, she says, requires greater integration between internal functions – particularly governance, risk, compliance and security – as well as across the partners that supply or underpin many of the newer technologies being exploited.
Read more about integrated security and risk managementEoin Keary looks at focussing on metrics to manage risk
Maxine Holt discusses why risk is unavoidable in digital transformation
Simon Persin looks at an operational approach to integrated risk management
Deshini Newman discusses the need for security professionals to embed security in their risk strategy
Richard Hunt discusses why risk management must go beyond spreadsheets
Holt suggests that appointing someone with responsibility for organisational digital risk can enable joined-up and better strategic decision-making for a more integrated approach to risk management. According to Holt, the idea of creating a digital risk officer role is a big step forward, as surprisingly few organisations have someone in this role.
“A team under the remit of the digital risk officer should be created to address the risks of digital transformation projects – knowledge is needed from across senior risk, compliance, IT, technology, legal, audit and cyber security staff,” she says. This team should aim to establish a central risk taxonomy to enable a common understanding of individual risk types throughout the organisation, says Holt.
In the past, separate siloed risk management has often resulted in tick-box compliance. Paddy Francis, CTO at Airbus CyberSecurity, says: “Integrating all these different aspects of risk into a single framework gives a better view of the overall operational risk to the business and allows development of mitigation strategies that work for the business as a whole.”
Francis believes IT security professionals should play a key role in moving to an integrated risk management approach. Francis presents the case for security teams to consider risks and mitigations in the context of the enterprise rather than just IT. “IT professionals and other risk owners must have, or gain, an understanding of the business drivers so they can see the risks in the right context and make appropriate risk mitigation trade-offs and not focus solely on their own area, while creating new risks elsewhere,” he says.
Francis says IT risk and related risks such as the IT security contribution to business continuity management and General Data Protection Regulation (GDPR) compliance should be brought together into a central integrated risk management strategy.
If organisations want to make integrated risk management work, Deshini Newman, managing director EMEA at (ISC)2, believes information security practitioners need to be integrated into the heart of the risk management reporting and evaluation process. “They simply cannot be downstream of it and still be expected to operate quickly and proactively when a security concern manifests itself,” says Newman.
Ovum’s Holt recommends information security professionals to involve senior management to help drive integrated risk management. “Business-focused information security functions can represent and communicate the need for integrated risk management to those who can change the firm’s approach,” she says.
The overall goal should be to provide a joined-up approach to risk management that enables organisation-wide risks to be prioritised and addressed according to enterprise needs. For Holt, a major benefit of such an integrated approach is that it improves business alignment of the organisation’s security posture.
But, as Francis points out, setting up an integrated risk management approach for an enterprise is not trivial and will result in new processes and procedures, which in most cases will need some level of tool support. He says: “IT and IT security have a central part to play in moving from traditional risk governance to integrated risk management, but as is often the case, leadership needs to come from the centre if the process is to be successful.”
For Newman, reporting is paramount, but so is clear governance, education and clear understanding. “Security professionals need to ensure other, non-IT parts of the business can understand the context of the cyber security risk in discussion, and relate to the broader and theoretical data and compliance risks being identified and communicated,” she says.
Newman also recommends that information security professionals have a clear vertical view of risk through the business. This means being embedded with other teams to understand the operational challenges, be they technology, process or regulatory. She recommends a unified approach to risk, saying: “One of the greatest pitfalls of risk management is not maintaining a unified approach to actioning strategy, policy and process. So, document everything and make a plan, revise it, communicate it to every stakeholder and, most importantly, follow it but be prepared to change your plan if the needs of the business demands change.”
The good news, says Godbole, is that platforms that provide visibility across multiple areas of the IT estate within an organisation are now available. These platforms can help IT security professionals to set up an efficient and integrated monitoring and security alerting environment, he says. “The security information and event management (SIEM) platforms have provided a unifying technology solution for security monitoring for more than a decade. Platforms like these have evolved over the years, making them comprehensive and efficient. Many SIEM tools now support user behaviour analytics that identify disruptive behaviour or actions in a timely manner.”
Godbole says such tools give IT security professionals a unified view of security across assets and security controls, which helps to reduce the response time to risks and threats identified by the platforms. They also offer automation, integration and analytics.
Like many aspects of IT security, an integrated approach requires tools, people and processes to work cohesively. Such an approach will be needed because organisations’ exposure to risk is only ever going to get broader. Airbus’ Francis notes: “The need for integrated risk management is brought into sharp focus by the changing business environment using more internet and cloud services to deliver and enable business and the need for a more open and sharing approach with customers and suppliers.”