[Opinion] Its High Time ….

By


The recent spate of cyber-attacks has served as an eye-opener for many organizations and individuals. Organizations that were using unpatched software had no security teams, no incident response policy, and procedures, etc. clearly were the ones who had to bear the maximum brunt of such attacks. There were many who did not get affected as they took the right steps at the right time and gave due importance to security and security teams in their organization.

Lots of points mentioned below have been long debated in organizations. But it’s high time that they are taken seriously and religiously implemented.
CISO/CSO should be a part of Board Meetings

In most organizations, security is still considered an IT job. The CSO reports to either the CIO or admin's head or some senior business person. The organizations mostly appoint a CSO just to ensure that regulatory compliance (in some countries) is taken care of. They are really not interested in considering security a business driver. In fact, a lot of business people consider security or security teams as a hindrance to their dreamy innovations and ideas which they want to roll out (without testing) in the blink of an eye.

It’s high time that the organizations realize that CSO should have appropriate representation in the board meetings and the CSO should report to the highest authority of the organization. The CEO should have the CSO/CISO on speed dial on his phone. The recent attacks and increasing number of data breaches are a testament to the fact that security is no longer an add-on or just regulatory compliance to be taken care of. It is, in fact, the next enabler of business.

By making the CSO a part of board meetings, the organizations can show that they really care about security. It improves customer confidence and showcases the seriousness of security. However, it is really important that CSO is given a time slot in every meeting to apprise the board of the current risks the organization faces and the funding required if any. Just making the CSO a mute spectator in every meeting is simply not going to help.


Security Representative in Customer Meetings

It is often seen in most organizations that business people keep themselves at the forefront when either meeting with a prospective customer or an active customer. They are always of the opinion that security people should work in the background and should show a glimpse of their faces only if the customer insists.

It’s high time that there is appropriate security representation when meeting a prospective customer or an active customer. Customers are more focused and interested in learning how can you keep their information secure than understanding what technology or language ( java/python / c etc.) is being used to make the product. By making a security representation when meeting a prospective customer, you can showcase how serious you are as an organization in keeping the customer’s data safe and secure.

It’s high time that organizations realize that the most important parameter of getting new business will not just be agility or cost optimizations but SECURITY.


Security is a Business Enabler

Most of the business people you meet always crib as to how security patches, updates, tools, etc. have made their systems slow. Their productivity gets hampered only because DLP, proxy, HIDS, firewalls, etc. run in the background and they are not able to get the full potential from their systems and staff.

They are not able to give wings to their new ideas which germinate in their heads while brushing their teeth in the morning as the security teams reject their proposals because of security issues.

It's high time business owners realize that security is no longer a hindrance to their operations or ideas. Security is a business enabler and all the tools deployed and patch updates are done in order to ensure that bad elements are not able to wreak havoc on your systems by demanding ransomware or doing a data breach.

If you want new business, be rest assured, that you will get it only when security is in place. If you consider otherwise, I challenge you to get a contract where you mention securing customer data as “We will think about it” in the RFP.


Ensure and Evolve Security Everyday

Many organizations are of the opinion that a policy that they made decades ago is going to save them from a data breach. Some think that we must buy the most expensive tools and countermeasures available in the market and we’ll be the most protected organization on this earth. Most organizations also have a deeply ingrained belief as to “Who will attack me?” as my organization is not doing any confidential work.

It’s high time that organizations, as well as individuals, realize and clearly understand the fact that everyone is a target. The hacker is not going to spare you just because you keep only songs or movies on your laptop and no confidential data. The ransomware is not going to spare blocking your organization’s system because you are only manufacturing chocolates or baby powder.

Information Security is not a “Fit it, Forget it” or “I did that a year ago” kind of activity. It’s something that you will have to practice religiously every day. Why? The answer is simple. Just like you brush every day because germs come up in your mouth every day, similarly, new attacks and threats emerge every minute and you need to constantly protect your organization from such threats. That means analyzing your threat profile, risk posture, controls, and countermeasures every day.

Considering and making decisions on risk assessment done a year ago is similar to crossing a bridge (with valleys on both sides) with your eyes closed; hope you get the point! You are bound to get burnt if you are not making decisions on real-time data.

In conclusion, the only point to drive across is that it’s really high time that organizations and individuals start taking security seriously. Although businesses take huge time to set up and become successful yet it only takes a data breach to make them bite the dust and perish forever.

Don’t become history, practice security…….

Comments

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...