Your security strategy should begin with the premise that you’re already compromised. Get your head around this, and you can shift your focus from trying to prevent attacks from occurring to resilience when they inevitably do. You’ll be better prepared to quickly identify an attack, contain it from spreading and recover from any fallout – minimizing risk exposure for the business.
In this sense, security strategy is similar to disaster recovery and business continuity. The main difference is that the probability that you’ll suffer a breach of some type is much higher than a disaster happening. But the consequences – business interruption, loss of private information or intellectual property, compliance violations and damaged reputation – can be just as devastating.
A “contain and respond” strategy takes a holistic approach to prioritizing risks. If you prioritize your risks – those that can have the most negative impact on operations – then you can defend the critical data assets that map to those risks.
Once you’ve prioritized your risks, you can implement a multilayered, data-centric approach that establishes a secure perimeter around the data associated with risks, locks down the data, removes risk from privileged users and provides the information that identifies malicious insiders and possibly compromised accounts.
This strategy is more proactive and intelligence-based, enabling you to better secure your most valuable data assets, respond to and remediate incidents in a timely fashion and meet GRC (governance, regulatory, compliance) requirements. It also lets you test your risk defenses to better identify and close potential vulnerabilities.
A contain and respond strategy will also help you manage security and compliance costs – which your CFO will love you for. It lets your team focus on priorities. You can relegate lower-level risks and data to “best efforts” protection using automation. Automating more of the functionality makes integration easier by reducing data silos and false positive overload. Finally, it lifts team productivity and morale by evolving their skill set toward greater intelligence, such as threat analytics, incident response and forensics.
Cybercriminals target and exploit an organization’s weakest link – its people. Employees who open an infected attachment, click on a link that takes them to a dodgy site or whose devices get infected while working remotely are most vulnerable. They expose you to your greatest risks and the data that map to them.
In fact, almost all of your security risks are caused by people. Most are just careless and ambivalent about your security strategy. The malicious insiders are not. Either way, your team is held accountable for breaches – despite the fact that most attacks are not of your own making.
Include your people in security strategy – just as they are in effective data governance and disaster recovery and business continuity initiatives. Make them aware of their vulnerabilities. Train them to be more vigilant. Create incentives for them to adhere to policies and penalize them for transgressions.
As a formal data governance program defines how data should be handled to improve quality and accuracy for analysis and decision-making, security governance should define similar best practices to protect against risks and defend strategic data assets. In fact, I recommend that security governance be linked with data governance.
Security is everyone’s business; but responsibility still rests with the security team. Security governance should be considered as much a business initiative as data governance or disaster recovery and business continuity. But to be truly effective, it must be endorsed and practiced by senior management and board members. That is the only way common business objectives can be achieved more securely.
I believe that a company’s ability to demonstrate stronger security governance relative to peers will become viewed as a competitive advantage. This includes how it responds to a breach. How a company informs customers, regulators and investors that an attack has occurred and what they are doing/have done to contain it is critical to maintaining security governance and preserving company reputation.