Friday, January 27, 2017
Cyber Security Program the way I have often observed in various organization over the years, is lead with piecemeal approach. There is no holistic view or review of the same and the Cyber Security team, often to be counted on fingers, is left to fend the entire organization's Information and Information Technology establishments. The other teams from IT as well as Business just shun off their responsibilities to be participative in the overall Cyber Security Program.
The main culprit for the piecemeal approach as I have see is the Business alignment to the overall Information Security aspects. The biggest misconception that Managers at various levels in a Business carry is - "Business to Run as Usual, doesn't need to be secure and if anything needs to be secured, then the Information Security Team has been hired for the purpose." In one of my interactions with one of the Client IT Manager, when I highlighted that there is acute need for them to focus on the Information Security aspects, I was told to submit my detailed Information Security Assessment Report and they will see what they would have to do. The IT Manager also had additional responsibility of handling Information Security Domains and was a influence in the Office of CIO.
There are many such instances that I have waded through in the industry where organizations take piecemeal approach rather than holistic view for implementing Information Security measures. For instance, in one of the case a Senior Information Security Architect was forcing us to include two layers of Security even to reach DMZ. I was not able to understand that logic of having two layers of firewall from same make and model and same set of rule-base. May be I was ignorant as I always believe Firewalls are the Dumbest Security Device because they can't differentiate between legitimate and illegitimate traffic on the ports they are supposed to let the traffic flow. It certainly is good to have layered Perimeter Security, but only when we look at the holistic view of the overall Perimeter layer security and not just a small dumb appliance called Firewall. It is important that we also consider the other layers of IPS/IDS, Anti-malware, Anti-virus, Deep Inspectors, Threat Monitors etc at that layer rather than just relying on the Firewall. Even if we are looking at two layers of Firewall, please consider two different make and models and technologies rather than what I explained in my example above.
Another aspect of Information Security that take piecemeal approach is to address & report compliance requirements as may be applicable from Industry to Industry. For instance it is indeed a very good practice to have Risk Based Internal Audit (RBIA) practice, but then the practice must cover an inclusive scope of audit rather than exclusive. What I mean here is rather than focusing on a particular standard and then covering the Risk Assessment to the requirements of the particular standard to define Audit Program for next year would limit overall Audit Scope. It would be a better aspect to cover the Risk Assessment with an holistic approach and based on the Control Domains applicable to the Business as well as IT functions. This Risk Assessment would provide with a wider aspects that must be audited on a regular basis as this would provide with whole lot of more situations to audit and assess from the Risk Management perspective. These audit activities then can feed into the residual Risk assessment and helping with a better RBIA result than the micro-results achieved with previous approach of what I call Need Based Audit and not a true RBIA.
Even though today the Compliance Assertion and Risk Management has been branched out from the earlier Information Security initiative to now Governance, Risk and Compliance function; the base still remains the same. Information Security initiatives drive the overall Risk and Compliance posture of an organization. It is in fact imperative that Information Security should be driven with a Bottom up approach with Information sitting at the bottom of the pyramid and the overall Governance at the top. Certainly this would help drive the Holistic view and review with the Information at the bottom getting shielded with the Controls deployed at the technology and process levels; and the Controls providing inputs to the compliance assertion requirements flowing into Risk Management and Governance piece. The overall system needs to be deployed in a fashion that would say "All Inclusive" rather than "Exclusive PCI" or "Exclusive HIPAA" or "Exclusive FIPS". Though the industry has been talking about Unified Compliance Framework from ages now, but that term has still not been adopted by most of the organizations and I do not see a major breakthrough there, unless organizations first see at Macro level for All Inclusive Approach rather than the current Piecemeal Approach by technology or by security or by compliance need.