Security Think Tank: Checklists are dead, long live risk-driven security

What is the best way to balance business need for network and application access with security and regulatory requirements?

The key asset of most businesses is data. Data processed into information that enables companies to devise strategic and tactical decisions, create products and services and ultimately sell these to their customers.

Although each company is distinctive, the elementary rules of conducting the business, such as corporate governance, remain common. 

Information security, which I see as part of corporate governance, exists to protect the information assets from unauthorised access that could result in the information being revealed, modified or lost for good.

It is said that there is no 100% security, which is certainly true if the information needs to be accessed by at least one subject. Yet in a typical organisation, the information systems are accessed by multitude of people and other systems, which can be located inside the company building, connected to variety of networks or using different means of access.

The complex contractual relationships also require access to the information between partners. Defining and implementing the correct balance of controlling the access on network and application level requires mastering the fine art of risk management.

There are several legal, regulatory and corporate standards listing controls that organisations must or should implement to protect their information; SoX, ISO27001, NIST SP800-53 and PCI DSS, to name few. 

However, it has been proven again and again that a blind implementation of these controls does not prevent information compromise breaches. In many cases, the application of these standards leads to bloated security budgets with very little to show for it.

So what should CISOs do to appropriately support their companies by enabling secure access to information?

I strongly advise implementing a security architecture that is based on threat modeling, advanced penetration testing and, most importantly, created together with the business owners. These three components need to be part of the risk management decisions driving the level of controls protecting access to information. 

As every organisation is unique, the mix of controls is going to be different for each one of them.

To deliver this new concept, a refreshed business focused security approach is needed that will challenge existing security “checklists” to their core and implement true risk-based business security governance.

Vladimir Jirasek is director of research for the UK chapter Cloud Security Alliance (CSA) and managing director of Jirasek Consulting Services.


Read more on IT risk management