Information Security as a Framework
By Ben Doyle, CISO-Asia Pacific, Thales Group
Today's Information Security community talks a lot about the impending difficulties due to the major skill shortages we face trying to fill positions that seem to be multiplying on a weekly basis. Some of these positions may be driven by organisations trying to meet new security regulations that are best managed via dedicated Information Security personnel, and some may be due to the rude wakeup call of the threat environment after suffering a significant event. Due to difficultly in hiring Cyber specialists, organisations turn to the latest security solutions in the hope that it will buy them enough mitigation against the next Cyber event. The threat landscape in 12 months has increased and attacks have evolved, so the security solution purchased last year is no longer offering the same protection, and so more money is spent buying the next latest solution. But, if they have the skilled staff to fully implement their previous year solution, and ensure it is updated (both in version and policies), organisations may meet the evolving threats that are now part of our hyper connected way of doing business.
Now you may think that this scenario shows that there is a great need for Cyber security specialists, and it is due to this situation, that there is a skills shortage that can’t be met. While I do not disagree that there is a lack of qualified specialists available, is it worse than what is repeated in other professions such as health and education. People can be trained, and additional managed security services will develop as an efficient way to obtain access to the specialist resources to protect organisations, therefore the pressures that are being felt today should slowly be reduced over time. But, I do not believe they will completely go away as is seen in with other professions. Therefore, we need to consider what mitigations are available that can reduce the impact of the evolving threats without increasing the need for additional security specialists, or utilize the specialists we may have today more effectively.
“Standardization of devices, operating environment, applications and system configurations leads to greater IS/IT operational efficiencies and improves the ability to implement security monitoring and controls effectively"
Most people have heard of the framework that promotes the idea of People, Process and Technology, with the basis for the framework being that IT/IS needs to consider all three parts to be successful. When it comes to Cyber security, the adoption of these principles should be no different. However, in many cases, Cyber security either has a strong bias to Technology being the most important solution, or, those with the security responsibility may consider people and process, but they only consider it in their own context, and not how security requirements fit into IT/IS’s concepts of People and Process, or the greater organizational operational model outside of IT/ IS. This reduces the effectiveness and efficiency of the security program and can lead to the thought that more skilled specialists are required to be successful for an implementation of a cyber capability
If we consider the case of Cyber Security not aligning or ignoring how their processes could take advantage of existing IT/IS processes, there are many aspects of IT/IS operations that are advantageous to create a secure environment. Patch management is no different to software that would go through an ITIL release program, so why does it need a separate process. Linking the release program to change control, as it should be, provides the governance and visibility of patching occurring. Standardization of devices, operating environment, applications and system configurations not only leads to greater IS/IT operational efficiencies but also improves the ability to implement security monitoring and controls effectively. Building the approval process for local administration as a Configuration Item (CI), with a workflow as part of a service request again provides greater visibility and governance to ensure such requests are valid, plus linking to a CI item, means previous approvals are easily audited for current validity. None of these improvements require additional security staff or technology, and requires utilizing processes that hopefully IT/IS already have implemented.
The above sounds great in theory, however it fails on implementation if the People side of the equation is not there to support it, and more specifically, the governance and the leadership required to be successful. This can be especially hard in an organization that sees its IT/IS function as a utility to provide service or capability in a way each business representative wants. Therefore, to be successful requires culture change, which is hard, and takes time, and involves plenty of end-user engagement, which is why many times it is avoided not just by Cyber Security, but also by IT/IS in general. This is where leadership comes in. You may not win support, or have authority, to stop initiatives, or business requests all the time, however, as a leader, each initiative and request is an opportunity for end user engagement and education by presenting a consistent advice on why it is better for the business to reduce their convenience or required functionality by a little to ensure a better long term operational and security outcome. If you are consistent in your message, over time (and it will take time) the message does sink in, and the business will start to be more open to your message. Having an Information Security leader does help provide legitimacy to such messages, there is no reason why IT/IS management can not undertake this activity if Cyber resources are lacking due to the skills shortage.
The France based Thales Group (Euronext:HO) offers services in Aerospace, Space and Defence to Security and Transportation to help customers perform critical security tasks. It was founded in 2000.