There is a basic recipe for network and computer security that most organizations follow without question: The network firewall guards the perimeter, and anti-malware software protects the various endpoints. Security is based on protecting the individual servers and PCs inside the perimeter from the various threats outside of the network perimeter. However, that formula is no longer sufficient.
The RSA-sponsored Security for Business Innovation Council has released a new report titled Transforming Information Security: Future-Proofing Processes, which reveals how current security processes and perimeter-based security controls are no longer an effective defense. The report also shares five valuable recommendations to help organizations adapt and evolve information security to defend against current and future threats, and an infographic that sums up the recommendations.
The network perimeter hasn’t really existed for some time now. When users accessed the network from desktop PCs—anchored to desks sitting in cubicles in an office building—there was a clear line of “inside” and “outside” the network. From the moment laptops came into the picture though, that perimeter started to fade away, and when smartphones and tablets entered the mix, the entire concept of “inside” and “outside” dissolved.
The rapidly changing technology landscape, and quickly evolving threats, require organizations to rethink their security strategy. Rather than guarding servers and protecting endpoints, security needs to have a more holistic goal of defending critical business processes—including whatever servers, PCs, or other assets those processes might depend on.
When you consider the bigger picture, the traditional approach to security was also ultimately about safeguarding crucial business assets. The goal was to ensure that the organization could detect and block attempted attacks, and that critical business functions were resilient enough to continue functioning through a successful attack. That goal hasn’t changed, but the nature of technology and threats today compels a different approach to achieving it.
Here is a brief overview of the five recommendations in the report:
- Shift Focus from Technical Assets to Critical Business Processes: Move away from a strictly technical viewpoint of protecting information assets and consider how information is used in conducting business. Remember, you’re not trying to protect a server, you’re trying to protect the capabilities the server provides or the data stored on the server. View your security strategy through the lens of the business goals rather than the individual technology assets.
- Institute Business Estimates of Cybersecurity Risks: Develop techniques for describing cybersecurity risks in business terms and integrate the use of business estimates into the risk-advisory process. When you begin to filter information security through its larger business purpose, it’s easier to protect what is most important, and communicating security risks in terms of the potential financial impact on the underlying processes helps executives and other managers understand and support your efforts.
- Establish Business-centric Risk Assessments: Move to more automated tools for tracking information risks to enable business units to be held accountable for managing risks. The threat landscape evolves much too quickly for manual processes that rely on a human being to monitor or analyze risks. You need to have tools in place to automate as much of the tracking and assessment of risk as possible—boiling down the vast volume of the threats and exploits to the few that are the largest concerns for your organization.
- Set a Course for Evidence-Based Controls Assurance : Develop the capability to collect relevant data to test the efficacy of controls on an ongoing basis. You can’t simply assume your security controls are effective or that they will continue to be effective against future threats: You need to have a process in place to periodically test and evaluate your security controls to ensure they still work as planned, and adapt accordingly in areas where your security controls are no longer sufficient.
- Develop Informed Data-Collection Techniques: Plan to comprehensively improve overall collection architecture, produce more data-rich logs, and increase data-storage capacity. Start by looking at the types of questions data analytics can answer in order to identify relevant sources of data. Advanced persistent threats (APTs) and other emerging attack techniques are good at circumventing defenses and flying under the radar, but capturing and analyzing log data over time can help you identify anomalous activity.
Network and computer security have developed over time as a reactionary evolution to counter emerging threats. The result is a somewhat ad hoc collection of tools and processes held together with duct tape and chewing gum. Even a well-engineered perimeter-based defense, however, can’t handle the complexity of managing cybersecurity risks today.
Keeping pace with cyber threats and the latest business and technology trends requires an overhaul of information security processes. Follow the recommendations in the SBIC report to begin transforming your information security strategies.