Maksim Kabakou - Fotolia
Security Think Tank: Shift to outcomes-based security by focusing on business needs
What is the first step towards moving from a tick-box approach to security to one that is outcomes-based and how can an organisation test whether its security defences are delivering the desired outcome?
Box-ticking in any business discipline has a rightfully poor reputation, associated as it is with heedlessly carrying out processes and procedures with little thought about whether these are the best course of action.
IT security is no exception. However, moving to an approach that focuses instead on outcomes should not shrug off tick-box activities altogether because these are proof-points of action being taken.
The trick is to make sure these actions are business enablers, rather than performed merely to adhere to administrative rules. Critical to this is ensuring people know why a process needs to be carried out over and above it needing to be “ticked off”.
This requires everyone to be involved, including the senior members of the organisation. As well as bearing overall responsibility for any security threats, they often create the drivers that allow breaches to happen.
For example, their roles often call for them to have flexible interactions with systems, such as mobile access and single sign-on. Also, they are more likely to be the target of attacks because an email – such as a request for the authorisation of bogus transactions – that appears to have been sent from a senior executive is more likely to generate a response than one from a lower-level manager.
Education for all
Communication and education are both critical. There needs to be an understanding of the risks being managed and the importance of this for the enterprise as a whole, as well as the role of each individual within it.
The channel for this education is of less importance. The crucial element is that the message is embedded into the minds and actions of all stakeholders. Audit, risk and security teams need to be equipped with the skills to communicate to their business’s teams in a way that enables them to better appreciate the priorities of the business and where these can be supported by security.
Organisations tackle this articulation requirement in different ways. It is not unheard of for some to enlist specialist performance coaches to help teams increase their emotional intelligence and empathy, as well as their presentation skills.
Day-to-day actions and decision-making are then influenced by this knowledge, which encourages people to be less trusting and more vigilant in identifying when a request is suspicious, thus reducing the likelihood of security risks. This starts to lead to “security by design” and other core principles being applied and adopted more consistently, which, in turn, creates a positive multiplier effect.
Fostering the right culture
As well as an emphasis on education, it is essential that organisations foster a culture that supports “doing the right thing”. This requires mechanisms and processes that enable concerns to be raised easily and without fear of retribution. This does not happen overnight, however, and enterprises need to allow time for it to embed fully.
It is important that people throughout the organisation feel supported and confident in speaking up about any activities that may adversely affect the security design or increase the threats. This may sound obvious, but business projects have defined plans and milestone dates, and standing in the way of these to raise concerns from a secure architecture point of view is a daunting prospect.
However, a supportive culture and an outcomes-focused security strategy will champion legitimate challenges, hearing and considering the claim regardless of the seniority of the individual making it.
Similarly, there need to be appropriate channels for individuals to flag poor practice, without having to challenge the perpetrator directly (which can have serious consequences in terms of stress and morale). Few people willingly become whistle-blowers. It is therefore far better for an organisation to ensure there is a safe way for its staff to do the right thing.
The process for raising security-related concerns should be intuitive and easy for all members of the organisation to reach. However, it must also be controlled to avoid it becoming an open forum where any issue can be raised, which is not an effective way to operate.
Appropriate “check points” within project delivery and operations ensure that the security ethos is being applied consistently. Rather than being a one-off, onerous, upfront assessment that is not referred to again, this should be a continuous, but evolving, interaction that is appropriate and acts as a reminder to tease out information when it is relevant and available.
For example, a security assessment conducted at the beginning of a project, when the design may not be fully mature, will probably need to make some assumptions on processes, technology or data requirements that are inaccurate, resulting in the project being considered either too high- or too low-risk from a security governance perspective.
Without further check points during the delivery of the project, this assumption would remain throughout its life, leading either to material weaknesses in the security design being missed or identified too late in the delivery cycle or, conversely, resulting in further controls – with a significant overhead – that, in reality, are not required because the assumed security risks are not appropriate or relevant.
Read more Security Think Tank articles about achieving outcomes-based security
Upfront impact assessments and checklists of this nature are often perceived as tick-box exercises – a mandatory means to an end to “get through” a project stage gate with the minimum number of questions answered and the fewest review questions asked.
Bridging the gap between “security” and “operations” to focus on the intentions, risks and potential controls required, demands a more supportive and collaborative approach that also seeks to understand the overall objective of the assessment.
On the operational side, education about, and communication of, the intentions of the assessment will encourage alignment, while greater empathy and engagement from the security side will allow them to operate in a manner that more easily reflects the business objectives and transforms the tick-box from an overhead to a business enabler.