Information security leaders today are under intense pressure, charged with protecting their organization’s Information assets – Information, customer data, intellectual property etc. Most Chief Information Security Officers (CISOs) are now getting more attention from senior executives than two years ago. With amendments in IT act in 2008 and formation of rules by ministry of IT in 2011, security has now become a compliance requirement too. In addition a series of high-profile hacking and data breaches has helped industry leaders in convincing of the key role that information security has to play.
Rather than just reactively responding to security incidents, the CISO’s role is shifting more proactively addressing security based on holistic risk assessment. Although the positive signs are encouraging, there are still few concerns and issues that are being ignored. Example:
- Information security is still considered as CISO’s accountability, where as it need to be that of senior management where CISO is facilitator
- Many organizations still consider it as IT security rather than information security.
- Most efforts are directed toward compliance and certification. This puts pressure on CISO/CIO for implementing ISO 27001 standard. (Since the rules under IT (Amendment) act 2008 insist on security standard like ISO27001 to be implemented and must be certified). This approach, though helps in getting security certification, generally all efforts are directed towards maintaining certification rather than maturing information security processes.
- Security is treated as afterthought process and hence for many projects required for business, security patched after completion rather than embedding into design.
- Security Governance is limited to reviewing root-cause for incident and problem management.
The existence of problems is may not be due to ignorance of need of security, but the need for integrating information security processes with IT processes. The challenge has been more difficult due to availability of multiple framework/standards or absence of it. The objective of this article to introduce how to mature information security processes.
The changing scenario of threats and opportunities impacts the information security processes and CISOs have to face the challenges. Gartner has identified various technology trends mainly in four areas i.e. – CAMS (Cloud, Analytics and Big Data, Mobile computing and Social Media). These trends are inevitable for business to adopt. The new era of crime that rides technology revolution has created a the need to build security around it without compromising the benefits in order to derive value for the business, is a challenge for the security and assurance professionals.
On the external threat front the trends are well past beyond traditional viruses and script kiddies, who used to be happy by disturbing Sunday afternoon siesta by ringing doorbell and runaway. It is now a professional world where targeted attacks and advance persistent threat(APT) are here to stay. Attackers (I do not see point in calling them hackers anymore) use multifaceted tools like hacking, social engineering, zero-day attacks to gain access. And once inside remain inside without being detected. The objective is to gather the information for various uses like terrorism, killing competition, damaging reputation etc.
The CISOs have accepted the fact that being attacked is a question ‘when’ and not ‘if’. Attackers are now targeting all resources of organizations mainly people rather than just IT resources of organizations like websites, applications, servers etc.
On one hand, in order to provide assurance to the management on security of information, CISOs strive to implement latest technologies like SIEM, IPC, Contents filters, DLP,DRM, DAM but they also need skilled human resources to effectively manage these technologies.
On other hand, management does wish to protect but want to know value derived by the investment.
Stakeholders are more interested in cost-benefit analysis while investing in security resources. The primary job for CISOs, therefore, is selecting appropriate control that will satisfy the cost-benefit requirements.
Selection of Controls
A real technical CISO shall not be very happy with constrain related to cost. Whereas management trained person might see value of constrain. The challenge is how to do it? The answer is to conduct a Risk Assessment (in simple words use commonsense).
Risk assessment is a done in various ways and there are multiple standards and framework available. The idea is to evaluate the likelihood of threat materializing, and if materializes how much damage it can do? e.g. A zero day virus attack might affect the operations. The likelihood is high (i.e. anytime or once every day) impact I also high so combining these two factors and converting them in notional monetary terms shall provide a CISO a total impact due to possible zero-day virus attack.
Then CISO need to consider all possible controls including technologies (e.g. heuristic Anti-virus), monitoring, Desktop controls, awareness trainings, skilled human resources for monitoring etc. all these control shall focus on reducing either likelihood or impact or both associated with threat. e.g. Smoke detector reduces the impact by giving early warning to take action to doze off fire, using fireproof material and controlling inflammables shall reduce the likelihood of fire.
The Balancing Act
The decision on control selection based on outcome of risk assessment can take one or more of four decisions, as depicted in following diagram.
Although in theory it appears easy and simple, in reality the challenges faced by CISO while implementing information security are enormous. Example:
- Assessing risk is not routine practice and hence many organizations still stumble on risk management area.
- When compliance is primary requirement for information security, process optimization and governance mechanism is generally absent.
- There is possibility of disconnect between linkage between enterprise risk management and IT risk management resulting in excess or inadequate security controls.
- The relation between control and risk mitigation is not one-to-one and simple but it generally ends in many-to-many relationship.
CISO need to practically identify and select controls. It may not be possible to have tools or automate all controls. And although there are solutions available these are not panacea, e.g. in case of advanced Persistent threat (APT) attacker and his polymorphic techniques, securing a complex network is a human-intensive problem which cannot be automated away because the agents are merely the vehicles of the attackers, that are dynamic, intelligent, and focused humans.
The changing technology and threat trends are forcing organizations to concentrate on new methods to ensure that information is secure rather than combating the external threats. It might require integrating information security within in business and thence IT operational processes using enterprise-wide risk management framework. Stakeholders, internal as well as external, are interested not only in well being but also in ensuring security of the organizations.