Skip to main content

Combating Cyber Crime in 2017 by Building an Information Security Programme

By: Cherif Sleiman, Vice President, Europe, Middle East and Africa at Infoblox 

It Often Starts With Anarchy 

As far as we’ve come with information security, the landscape still feels like the wild west. Every day we read about the cyber equivalent of ungoverned towns terrorized by enterprising criminals who pillage as they wish with seemingly no consequences. The good guys are few, and the sheriffs are too far between. Maintaining the peace rests upon you; whether you asked for the job or not. Swiftly reacting to intrusive foes may grant you the right to fight another day, but getting ahead of security risks warrants a proactive, strategic plan with structured management oversight. 

Assemble Your Strategy 

Security spending is estimated to have exceeded $75 billion dollars in 2016. While it’s good news that security spend is increasing, there’s a broad range of security products to choose from and knowing where to allocate funds requires a strategy. 

Security programs are often derived from venerable frameworks such as the SANS Critical Security Controls or ISO 27000. Although comprehensive, these frameworks can be daunting at first. A more simplistic approach revolves around building a security program based upon a limited set of foundational pillars which serve as security program categories or “tracks.” For an emergent security program, about four to five pillars should be sufficient. For example: 

 Business Alignment - Security should support the business and must not impede company objectives.
Security Awareness - The securing of human beings and the internal “marketing / PR” of information security.
Governance and Compliance - The management aspects of security, such as planning and measurement, as well as adherence to internal and external regulations.
Vulnerability Management and Incident Response - Finding and managing vulnerabilities as well as responding to crises.
Formal security frameworks have granular controls that conveniently “roll up” into these pillars. For example, the SANS Critical Control 20 (Penetration Tests and Red Team Exercises) can be aligned with the Vulnerability Management pillar. Likewise, the ISO 27001 control A.15.2.1 (Monitoring and review of supplier services) can easily align with governance and compliance. Taking a page from agile methodologies, the objective here is to start small with a handful of pillars, then over time scale into something more industrial strength without much “throw-away” work. Essentially pillars are baby steps that pave the way to broader ISO or SANS-type programs. 

Find Your Pillars 

As noted, pillars represent your security program’s high-level “tracks.” Your enterprise will likely have different pillars, and you may have more or less than five. Regardless, these four simple steps can help identify your organization’s security pillars: 

Identify what’s important to the organization; be it money, intellectual property, customers, etc.
Enumerate potential threats posed to the items identified in step 1.
Determine protection and mitigation strategies to prevent threats from intersecting with important assets.
Iterate through steps 1-3, and categorize activities into fairly general categories. By consolidating categories wherever possible, categories will start to form distinct pillars.
It’s not always easy to identify risks; especially when you are unfamiliar with the current threat landscape. Fortunately, external assistance may prove useful in such situations. A security consultant can provide comprehensive threat models, and security companies can provide free security assessments that identify active threats on your network which were previously invisible. 

Manage Security as a Program 

Once you’ve identified the general pillars of your security program, each pillar will start to develop associated sets of projects and on-going activities around improving security posture. There are numerous tools in the security expert’s repertoire to support this effort, but a couple staple artifacts worth calling out are the risk register and operational security reviews. 

The risk register is essentially where one lists risks, and summarizes how these risks are being managed. It’s not rocket science, and contrary to popular belief, it doesn’t require the purchase of exorbitantly expensive software. In fact for newly-founded security programs, a spreadsheet works just fine. 

While the risk register may be appropriate for executive review, operational security reviews are intended to track progress (or lack thereof) on a more tactical level. For instance, tracking progress in the “vulnerability management” pillar may warrant metrics which track the number of high-risk system vulnerabilities, exploited vulnerabilities, average time to patch, and so on. These metrics must resonate with system owners and those responsible for day-to-day operational security so that they have actionable data to improve security posture. 

In summary, a security program is a continuous journey that never ends. Like most journeys, it starts with a single step, and will certainly have pitfalls along the way. Perfect security is unrealistic, so don’t be afraid to fail. How we manage and adapt are infinitely more important.

Popular posts from this blog

Radisson Blu Hotel, Dubai Improves Guest Wi-Fi Coverage and Performance with Aruba Wireless Solutions

Radisson Blu Hotel, in Al Sufouh at Dubai Media City has recently deployed wireless infrastructure from Aruba, a Hewlett Packard Enterprise Company, to deliver secure, seamless, high-speed, wireless internet connectivity across its hotel rooms, suites and public areas. The implementation has resulted in improvement in rating of Wi-Fi services and drastic reduction in volume of IT help desk calls, besides the fact that the design of the Access Points (APs) blends seamlessly with the hotel aesthetics and AP management, monitoring and troubleshooting has become centralized and simplified.

Amazon.in launches “Smart Living Store”

How would it be if you could stream online videos or browse websites on your TV? How about a device that could measure your level of activity throughout the day? How would it be if a device helps keep your home secure? With the Smart Living Store you can find out! Amazon.in announces the launch of “Smart Living Store” - a dedicated store aimed at providing customers the one stop shop for all smart devices across various product categories.

Pi DATACENTERS Achieves Uptime Institute Tier IV Design Certification

Pi DATACENTERS, India, an enterprise class datacenter and Cloud service provider based at Amaravati, the new capital region of Andhra Pradesh, today announced that the company has been awarded Uptime Institute Tier IV Design Certification, achieving the highest standards for infrastructure, functionality and capacity as demonstrated on the design documents. To earn a Tier Certification of Design Documents, a facility is evaluated on mechanical, electrical, structural and site elements, and certified facilities also receive expert recommendations to enhance Operational Stability over the long-term.
“We are pleased to award Pi DATACENTERS with the Uptime Institute Tier IV Design Certification,” said John Duffin, Managing Director, South Asia, Uptime Institute. “Achieving a Tier IV Fault Tolerant Design Certification illustrates that the facility meets the highest standards for infrastructure functionality and capacity as demonstrated on the design documents. This ensures that plans are…