Maksim Kabakou - Fotolia
Security Think Tank: C-suite needs to drive outcomes-based security
What is the first step towards moving from a tick-box approach to security to one that is outcomes-based and how can an organisation test whether its security defences are delivering the desired outcome?
Genuine security is not about compliance and it is not about collecting badges, but it is about making security and secure behaviour an integral and central point of your business ethos.
Everywhere you look, there are articles saying that security is a c-suite issue. Sadly, it seems the only people who do not realise that are members of the c-suite. The upper echelon of businesses needs to switch on to and understand that security is an integral part of corporate governance, and that effective and proportionate security can be achieved only through embedded risk management, and that people, not technology, lie at the heart of good security.
Too many organisations still do not have information asset ownership rooted within them. If you don’t know what information you’ve got, know why you have it, where it is and what legitimate access to that information is required, then you can never realistically hope to achieve good security.
Improving security and removing the “tick-box mentality” can really start by getting boardroom ownership of this matter. But that does not mean promoting the IT manager to the board; it means genuinely achieving a paradigm shift of understanding by the board.
The board then needs to be prepared to drive and visibly show support for a cultural change, with embedded information asset ownership across the organisation and key roles such as IT security information risk, data protection, learning and development and audit, being seen as tactical advisers to the business. This is instead of those roles and teams being expected to do everything for the business.
This approach will drive a change of mindset that will be truly transformational. That will make security an embedded part of business as usual and, most importantly, a sustainable part of the business’s core values.
Our attitude to testing and compliance checking really needs a review too. Compliance checks need to be continuous, ongoing and iterative – not an exercise that happens annually, like a project. We should not wait until we get an annual audit report to address poor behaviour.
Read more Security Think Tank articles about achieving outcomes-based security
If there’s one thing we’ve learnt from other industries, it is that there is no more powerful tool than when poor behaviour is identified and addressed. Best practice (and best results) in this area come about through the implementation of quality, no-blame, near-miss reporting, while technical vulnerabilities should never be left unidentified for extended period of time, pending an annual penetration test.
Our internal technical teams should be competent at running their own vulnerability scans as an integrated part of the change and configuration management process. This means there is a constant stream of quality in and around security processes.
The organisational threat is real, holistic, joined-up and continuously evolving. Our response to this threat needs to be continuously evolving too. Moving away from tick-box security is a great step in the right direction and toward genuine resilience.