by Niall Browne of LiveOps
As our personal and professional lives become more intertwined, the amount of digital data stored and accessed by companies, their employees and staff is staggering. From banking records to medical information, personal identifiers and business transaction histories, a treasure trove of sensitive information is a tempting target to cybercrooks.
Moreover, the dramatic increase in cybersecurity attacks in the past few months has shaken consumer confidence. It has also caused the security industry as a whole to re-evaluate the effectiveness of the present methods used to protect data and systems.
CIOs that build security programs using only formal security compliance frameworks are quickly finding this approach dated; exposing their company to risk. Of course, standards are foundational in the effort to keep businesses compliant with industry specific regulatory restrictions. However, therein lies a dangerous notion that the standardized approach alone will keep an organization secure against today’s ever-evolving threats.
Here is what CIOs can do to avoid seven real threats to corporate security:
1. Focus on security threats rather than security compliance alone – There is little value in putting an alarm on the front door of your home to meet the compliance requirements of your insurance policy if the back door is left open. This is the problem with focusing on standards-based security programs alone — you are often building a program to specifically meet the letter of the standard and the auditors. This can lead to security gaps. In particular, too little focus directed toward protecting against threats such as cybercrime.
CIOs need to do a 180 and start building the next generation cybersecurity controls to protect against these threats.
2. Use data-centric controls not location-centric controls – Data use is distributed and, as such, the controls that protect this data must also be distributed.
Too often, security controls focus on location alone to protect the perimeter of the building. However, as telecommuting becomes the norm and workers access sensitive data from mobile devices and laptops, considerable data can exist outside the office walls. Because of this, data protection must be data-centric rather than location-centric. It must follow the data out of the building to protect it no matter where it resides.
3. Social network awareness verses lockdown – Open access to social networking sites are often viewed as taboo by IT and security departments while staff is in the office. Their concern is primarily based on the fear that staff will expose sensitive company data through the use of these sites. The black-and-white approach is to block office access even though IT is well aware that staff will still access social sites from their corporate laptop at home.
Rather than applying the wet-blanket approach of no access, another approach is permitting controlled access — balancing security needs by making users aware of the risks, and how they can protect against potential threats. This can help create a more tech and risk savvy employee who is better equipped to protect the company’s data and assets against threats independently whether they are inside or outside of the office.
4. Reorganize traditional security teams – Agile development (software development methodologies that are based on iterative development) is shaped through collaboration among cross-functional teams. Many companies have moved to agile software development, which enables product delivery cycles to occur every two weeks instead of quarterly, semi-annual, or annual release cycles. This reduces delivery time directly, however, it also results in less time to complete a security risk evaluation of the changes. Therefore, security programs designed to examine long release cycles can struggle when presented with the much shorter agile development cycles.
For example, if a company is completing a two week delivery release, and has 10 engineering teams in agile that each release 10 features per software release, then 100 product changes will be delivered every two weeks. This volume of feature changes demands thorough risk evaluation and unless the security teams can move at the same speed or faster as the development teams, then security will quickly fall behind.
When this happens, business risk grows.
Security teams must reduce their risk evaluation times as a solution, or the release rate must decrease. Businesses typically will not slow down to facilitate a slower moving risk management evaluation process. As a result, security teams that don’t move to agile security may find that they are not able to meet current business needs.
5. Engage employees in interactive security awareness – The days of security departments corralling jaded staff into mandatory training programs this year to rehash last year’s security tips is inefficient, dated, and counterproductive. Instead, security teams should actively engage staff as part of their day to day interactions. This can include more interactive and frequent security awareness exchanges in the form of ongoing security Lunch & Learns, security Brown-Bags, security posters, quizzes, newsletters, weekly messages, and other opportunities to meaningfully engage staff and increase awareness of modern risks.
6. Focus on application security – Far too much focus is placed on the mistaken belief that applications are protected by the network firewall. This blind trust can result in insufficient application security controls being implemented to protect company applications.
Additionally modern applications are increasingly Internet facing, and open and feature rich application program interfaces (API) have become the norm. As a result, the attack surface of the application has greatly increased just as the level of protection provided by a network firewall has greatly decreased.
If these network firewalls cannot independently provide the level of protection needed against an application compromise, then what will?
This where the application itself becomes the key security layer. This involves building application security controls into all phases of the application development, as well as secure code training, and in-depth penetration testing.
7. Monitor security in real-time – Many security standards require companies to complete security monitoring on a pre-defined interval, including quarterly account audits or bi-annual firewall reviews. But hackers don’t work on pre-defined schedules. If a company is only utilizing regularly scheduled security audits to detect problems, it could take days, weeks, or even months for a security incident to be detected in the next round of security audits.
Security programs must provide real-time security monitoring to detect and react quickly to threats to the business.
When corporate security is at risk the entire company is at risk. Small, medium, large-size companies all face similar security challenges thus the desire to implement security standards. But CIOs must navigate their companies outside of security standards and focus on protecting their data and systems with real-time compliance to achieve optimum corporate security.
Niall Browne is the CISO & VP of Information Security at LiveOps where he is responsible for defining and managing the enterprise security, audit, risk and IT regulatory compliance programs. LiveOps offers two solutions for enterprises: Contact Center in the Cloud, a SaaS technology platform for managing global contact centers, and Workforce in the Cloud, an on-demand workforce with over 20,000 independent agents.
Niall is currently Chair of the BITS Shared Assessments Cloud committee, and vice-chair of the steering committee. Niall is also on the steering committee of Cloud Security Alliance (CSA) Controls Matrix, and a member of the steering committee for the Common Assurance Maturity Model (CAMM). As a Service provider he has also led IT Security assessments including PCI-DSS level-1, ISO 27002, SysTrust, SAS-70 Type II, BITS Agreed Upon Procedures (AUP) and FFIEC examinations.
In 2004, Niall was the lead security architect for the European Union (EU) Presidency.