Welcome to my second in a series of blogs based on what I term “The Groove Theory of GRC.” As you may or may not know (or infer from this series), I have been a musician for much of my life. Starting in grade school playing in the school band, I have enjoyed the gift of making music over many years. While I am no longer a “gigging” musician, I still pick up my craft and noodle at home often. One aspect of making music that I have enjoyed is the debate between musicality and performance. Is a great musician guaranteed to be a great performer? Are all great musical performers talented musicians?
The landscape of governance, risk and compliance has evolved substantially and, I believe, is reaching an inflection point. In some respects, the discipline is enjoying the benefits of constant maturation. Companies have been on the journey for multiple years and, evidenced by many of our long-time customers, are profiting from this adventure in both tangible and intangible ways. In other respects, GRC, in some eyes, has become a bloated term – nebulous in its meaning and suspect in its value. It is hard to argue with any concept that advocates managing risk, maintaining effective compliance to laws and regulations and, ultimately, making intelligent data driven business decisions. But some detractors of the concept of GRC talk of immense, costly, protracted, delayed projects that rarely cross the finish line.
Over the last few weeks I have outlined several elements of Security Operations that are bubbling to the surface in my blog series “Next Generation Security Operations”. The series really focused on the reactive side of security management and a key theme was the connection between nuts and bolts security with broader processes. A key point I wanted to communicate was not only the need for companies to remain vigilant and evaluate the detective side of security management but also look outside of the technical infrastructure for inputs to improve the reaction time within Security Operations. As most of my readers are GRC Practitioners, this connection stimulated some interesting conversations I had with customers from the GRC side of the house and I hope made some of the same connections from the security side.
Over the last few blog entries, I outlined some of the dimensions that security operations need to think about during 2013 and beyond. In some respects, this is the tip of the iceberg – there is only so much you can cover in a blog. However, I think there are some important items to put on the radar.
Years ago, companies had to worry about the “brick and mortar” threats – physical theft, property destruction, natural disasters. Next, it was the “bits and bytes” threats – intellectual property theft, website defacement, denial of service attacks. Now, there is a new element to our threat landscape – the “flesh and blood” threats. I don’t mean personal physical attacks but rather attackers exploiting an individual for nefarious purposes.
To continue with my series on the Next Generation of Security Operations, I want to look at how well the operations are positioned for the be-all, end-all of security – the actual Security Breach. Security incidents have a life of their own. How it all turns out is very dependent on how soon the problem is detected. Initial detection and preventing an attack early in the ‘kill chain’ can minimize or even stop any issue from escalating. However, that is not always possible and security operations must be prepared to escalate throughout the entire process until closure. There are some traditional stages when it comes to Security Incident response.
In my previous blog, I introduced the idea that the concepts around security incident response need to evolve based on the threat landscape facing organizations. The first step in heading towards this next generation of security operations is improving the visibility into what is going on with the technical infrastructure. I used the analogy of giving telescopes to the lookouts on the castle walls to see the impending attack sooner.
What does this mean as we head into 2013? It means that the “incident response” plans that were drawn up, tested, implemented and put up on the shelf a few years ago are not prepared for this new battleground. Security threats – from hacktivists to criminal organizations to state entities – have more tools, techniques and attack vectors than ever before. Just like when the first trebuchet and catapult arrived on the scene outside the castle, it is that time, once again, when the defenders need to re-think their fortifications, evaluate the ramparts and re-invent defenses and lines of resistance.
A few months ago, I wrote a short blog using the “space between the 1s and 0s” as a metaphor to discuss dimensions of data that are beyond just the digits sitting on the disk drive. These dimensions included how the data was created, who created it and why it was created along with the security implications of those dimensions. Data created by a business process that includes personal information is much different than the invitation to the company monthly birthday party. Yet those 1s and 0s, many times, sit side by side on our laptops, servers and storage area networks. Recently, EMC announced the 2012 findings from IDC’s 6th EMC-sponsored Digital Universe Study. This study has some amazing and interesting results – some directly related to this “space between the 1s and 0s”.
In mid-November, the PCI Security Standards Council released its Risk Assessment Guidelines as a supplement to the PCI Data Security Standard (PCI-DSS). Expanding on the requirements outlined in section 12.1.2 of the PCI-DSS, the new document provides further guidance on the techniques and methods organizations should consider when addressing this requirement of the standard. Checking the box on “Do you have a risk management program?” will not be as simple as before.