Skip to main content

Combating Cyber Crime in 2017 by Building an Information Security Programme

By: Cherif Sleiman, Vice President, Europe, Middle East and Africa at Infoblox 

It Often Starts With Anarchy 

As far as we’ve come with information security, the landscape still feels like the wild west. Every day we read about the cyber equivalent of ungoverned towns terrorized by enterprising criminals who pillage as they wish with seemingly no consequences. The good guys are few, and the sheriffs are too far between. Maintaining the peace rests upon you; whether you asked for the job or not. Swiftly reacting to intrusive foes may grant you the right to fight another day, but getting ahead of security risks warrants a proactive, strategic plan with structured management oversight. 

Assemble Your Strategy 

Security spending is estimated to have exceeded $75 billion dollars in 2016. While it’s good news that security spend is increasing, there’s a broad range of security products to choose from and knowing where to allocate funds requires a strategy. 

Security programs are often derived from venerable frameworks such as the SANS Critical Security Controls or ISO 27000. Although comprehensive, these frameworks can be daunting at first. A more simplistic approach revolves around building a security program based upon a limited set of foundational pillars which serve as security program categories or “tracks.” For an emergent security program, about four to five pillars should be sufficient. For example: 

 Business Alignment - Security should support the business and must not impede company objectives.
Security Awareness - The securing of human beings and the internal “marketing / PR” of information security.
Governance and Compliance - The management aspects of security, such as planning and measurement, as well as adherence to internal and external regulations.
Vulnerability Management and Incident Response - Finding and managing vulnerabilities as well as responding to crises.
Formal security frameworks have granular controls that conveniently “roll up” into these pillars. For example, the SANS Critical Control 20 (Penetration Tests and Red Team Exercises) can be aligned with the Vulnerability Management pillar. Likewise, the ISO 27001 control A.15.2.1 (Monitoring and review of supplier services) can easily align with governance and compliance. Taking a page from agile methodologies, the objective here is to start small with a handful of pillars, then over time scale into something more industrial strength without much “throw-away” work. Essentially pillars are baby steps that pave the way to broader ISO or SANS-type programs. 

Find Your Pillars 

As noted, pillars represent your security program’s high-level “tracks.” Your enterprise will likely have different pillars, and you may have more or less than five. Regardless, these four simple steps can help identify your organization’s security pillars: 

Identify what’s important to the organization; be it money, intellectual property, customers, etc.
Enumerate potential threats posed to the items identified in step 1.
Determine protection and mitigation strategies to prevent threats from intersecting with important assets.
Iterate through steps 1-3, and categorize activities into fairly general categories. By consolidating categories wherever possible, categories will start to form distinct pillars.
It’s not always easy to identify risks; especially when you are unfamiliar with the current threat landscape. Fortunately, external assistance may prove useful in such situations. A security consultant can provide comprehensive threat models, and security companies can provide free security assessments that identify active threats on your network which were previously invisible. 

Manage Security as a Program 

Once you’ve identified the general pillars of your security program, each pillar will start to develop associated sets of projects and on-going activities around improving security posture. There are numerous tools in the security expert’s repertoire to support this effort, but a couple staple artifacts worth calling out are the risk register and operational security reviews. 

The risk register is essentially where one lists risks, and summarizes how these risks are being managed. It’s not rocket science, and contrary to popular belief, it doesn’t require the purchase of exorbitantly expensive software. In fact for newly-founded security programs, a spreadsheet works just fine. 

While the risk register may be appropriate for executive review, operational security reviews are intended to track progress (or lack thereof) on a more tactical level. For instance, tracking progress in the “vulnerability management” pillar may warrant metrics which track the number of high-risk system vulnerabilities, exploited vulnerabilities, average time to patch, and so on. These metrics must resonate with system owners and those responsible for day-to-day operational security so that they have actionable data to improve security posture. 

In summary, a security program is a continuous journey that never ends. Like most journeys, it starts with a single step, and will certainly have pitfalls along the way. Perfect security is unrealistic, so don’t be afraid to fail. How we manage and adapt are infinitely more important.


Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…