Various companies are having a hard time protecting data and aligning IT security with business goals either due to insufficient funds or resources. As a result, many businesses are compelled to undertake new security strategies to minimise these gaps. According to Gartner, 75% of organizations will change the ways of managing risk and security by 2023. This includes dealing with new cyber-physical systems (CPS), converged IT, OT, the Internet of Things (IoT), and other security requirements. This is up from less than 15% now. However, setting up a new IT Security Management plan is not a simple process. Many businesses have had a hard time balancing IT Security needs with the need to run their business.
In this blog, we will look at the key strategies and recommendations that businesses can use to build and use a successful IT security management plan. Before that, let’s look at some of the major challenges facing IT industry today.
Challenges with the Current IT Security Landscape
Security researches claim that the IT Security remains an underinvested industry. Furthermore, cyberthreats are becoming common in a world that is becoming more and more global. For example, when working with applied technologies like IT/OT integration, a lot of data needs to be analysed. More data might mean that companies need to widen their perimeter of protection. Another type of challenge is the introduction of various data protection laws such as GDPR. Companies have to become aware and get trained on the new guidelines.
Dealing with problems / comply with these requirements tend to take longer time to tackle. We can categorize these problems in two facets: the systems and the people who use them. On the systems side, Security related Operational processes may not change quick enough to keep up with changes in the systems environment including application modernisation. This is called process latency in the systems world. The human face is that both environments and processes change faster than people can keep up with them. In other words, people and processes don't sync with each other.
On the technology side, IT security has a lot of concerns such as cybersecurity professionals not having the right tools and skill set for monitoring and managing the systems they're looking at because they change so frequently. In addition, systems that are moved from a data center to the cloud may need new security tools as well. Apps that are made and run-in containers need to be protected, but the security operations teams may not have any necessary tools to protect them. These are some of the common issues that require urgent care.
In addition, automation and integration aren't very prevalent in the cybersecurity world. Organizations make their workers do the same things repeatedly when they set up standard response workflows for security incidents. This makes them tired and burnt out, and it slows down the response time to human scales. Automation and integration are necessary to avoid these problems.
Building an IT Security Management Roadmap: Key Stages
We have identified seven key stages in building an IT Security Management Roadmap. They are:
1) Understand and align defence and business strategy
Before creating and implementing cybersecurity strategies, a good understanding of the business regulations and operations of the company is important. Strong understanding makes it easier for companies to make smart IT Security investments, use limited resources, make progress on strategic goals, and keep their businesses safe. This allows the Security leaders to create risk profiles for each part of the business strategy, describing the risks in business terms, suggesting ways to mitigate them, and providing high-level investment forecasts. If they make smart investments like buying certain technologies or services, they will know where the money is going and why.
The following are some of the things that are part of strategy alignment.
Make sure you know what's important in business and what the program's goals are. You also need to know about business, technology, and threats.
Identify the goals of the program, its value, and the responsibilities of relevant parties.
Define security controls that are in line with the goals of the organization and plot them to a proper security structure.
Get input from stakeholders, define main goals, and finish the first summary of the security strategy document.
2) Do a Security Assessment
An IT Enterprise Security Risk Assessment is done for businesses to look at, identify, and change their overall security posture. This process is needed to get the organization's management to agree to spend money and use the right security solutions. A thorough enterprise security risk assessment also aids in valuation of the different types of data that are made and kept in the company. A lot of technology resources cannot be used if the organization doesn't value the different types of data that it has.
To accurately assess risk, management must figure out which data sources are most important to the company, where the storage is, and how vulnerable they are.
The following are the steps that make up the assessment.
A) Find assets: Use your current asset tracking processes (A repository harbouring all devices such as systems, OS's, servers, devices, etc.)
B) Decide how you want to organize your data
Public: It encompasses web content, publicly available financial data, or any other data that would not hurt the business if it were stolen.
Confidential: This data cannot be made available to the public. There must be a Non-Disclosure Agreement (NDA) or other safeguards in place before confidential data can be shared with third parties or made available to outside legal entities. This is to keep the data from being accessed by the public.
Internal use only: In this case, the data is only for internal use and cannot be shared with other people. This data is important to the core business and would hurt the company's competitiveness if it were stolen.
Compliance Restricted Data: This data must be kept close to the vest. This information must be accessed and stored in a way that is in line with the framework it is in, like CMMC, HIPAA, HITRUST, NIST, etc.
C) Make a list of all the things you own
Software: Keep a list of software that is approved for use by the company.
Systems: People who own systems and other things should use a database called a Central Management Database (CMDB) to map assets back to them.
Users: In Active Directory, users can be put into groups by giving them certain roles, like "administrator."
Identity: Make sure to keep track of how users are assigned to assets and resources based on their current roles and jobs.
D) Find out what your adversaries are up to
In this case, we have assets and vendors. Work with legal teams to find contracts with third parties, such as NDAs or lists of businesses that provide health care, so firms can find them.
External vs. internal: Which is better? Find out where all network egress and ingress points are.
Make sure network diagrams are available and up to date so that you can figure out where environments connect. If you're doing business in the cloud, make sure there are also diagrams of the infrastructure.
E) Rank the Risks
Perform a Business Impact Analysis (BIA) to figure out which systems and data owners are important.
Create and maintain a risk register to keep track of the systems or assets that pose the most risk to the confidentiality, integrity, and availability to the business systems of the organization.
3) Technology Evaluation
The third step is to look at how technology works. Once the assets have been found, the next steps are to figure out if these systems are safe. Learn how they work on the network and figure out who in the business supports the technology and related roles and responsibilities. The below items can help in the evaluation of technology.
i) What's in use now?
Find out what is going on with the operating systems of your assets.
With End-of-Life technology, there are no more patches, bug fixes, or security updates.
To put it another way, if business apps are running on these systems, your product's security could be at risk.
ii) Are There Enough People to Take Care of These Platforms? These systems need to be patched with money and time. During a zero-day attack, resources must be available and quick to deal with the threat and recover from an accident.
iii) Does Technical Bloat exist? Technical bloat is a problem for large businesses that have systems that do the same thing over and over again. Poorly written code by developers can lead to "technical debt," which means that it will cost more in the long run to rework and document the code appropriately than it did to put it out the first time.
iv) Unauthorized Installations These systems are usually made by separate teams without the help of the support staff. This is called Shadow IT.
v) Impact of Technology when data flows in and out of the systems.
4) Select a Security Framework
There are a lot of frameworks that can help us make and support our IT security strategy, but we cannot protect what we cannot see. Hence, it's important to have a risk-prioritization framework in place that includes:
Doing a vulnerability assessment and a penetration test.
Establish a baseline of current maturity, set a target state, and do a gap analysis.
The risk prioritization will help you figure out what controls you need to keep an eye on and measure the security of your business. A cyber security risk evaluation, a vulnerability analysis, and a penetration test can help you figure out which framework to use.
5) Creating a risk management plan
Developing a risk management plan is an important part of the IT security strategy. This plan looks at possible risks that could affect the company. This proactive method makes it possible for the company to find and analyse risks that could hurt the business before they happen.
Below, you will find a list of policies that can be used in your risk management plan.
Describes how different types of corporate data should be stored or archived, where and for how long.
People who work for the company, as well as customers, suppliers, and other people who have their personal information stored by the company are covered by this policy.
An Incident Response Plan that lays out the roles and procedures that should be followed to make sure there is a rapid and effective response to security incidents.
6) Implement the security plan
All the assessments and policy plans have almost been done at this point in the strategy. It is now time to decide which remediation efforts should be most important and which tasks should be given to different teams. After that, lets’ go through each step in detail.
Integrate skills, tools, and technologies
Establish security team roles and responsibilities, and figure out who should be accountable, consulted, and kept up to date.
Develop important skills and train for skills you want to learn or that you don't have.
Use metrics and rewards to make people more accountable for their work.
Develop the ability to respond quickly to critical incidents and a plan of action in the event of a breach.
Develop a program structure to keep an eye on and fight against new threats.
Instil a sense of security in your employees and start campaigns that are tailored to your company's needs.
Advance your reporting and response skills and have a practice of communicating about cyber breaches.
7) Make sure your security plan is working
This is the last step in the cyber security strategy. It is the start of a long-term support of the strategy. Threat actors will keep taking advantage of flaws, no matter how big or small the company is. It is critical to keep an eye on and test the security strategy on a regular basis to make sure that the goals of the strategy match up with the threats that are out there. Step by step, these steps describe how the process works.
Plan to show the value of your organization and the board.
Make sure you track metrics and get feedback to figure out how well your program is working.
To improve more, revisit the maturity assessment.
Many experts talk about business and IT Security alignment but very few have attained the same. Instead, we're all focussed on technology because that's the language we speak! We usually have a general idea of how businesses work and what they want to achieve, but we don't always use this information to help us plan cyberattack defense. The answer is that we can't link technical needs to the business strategy or benefits. Executives are forced to make investment decisions based on instinct and their trust in our advice. When we build a strong and sound plan for IT security management then we can deal with the many unknowns that come with it and make smart decisions about what to do. The goal of the blog is to show how IT security has changed over time and how it can help CIOs and other leaders plan for a stronger IT security.
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in Banking, Biotech, Medical,
and Education sectors. Surya has played various roles under security domains including CISO, Security Partner/SME for
Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security Architecture,
Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk Management from Stern School
of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.