We spoke with many CISOs and security leaders who told us one of their top strategic priorities this year was a heavy focus on foundational security, or getting back to the security basics.
There is an increased focus mainly due to the business implications stemming from the current COVID climate. Businesses are rapidly transforming to address remote workforces and shifting priorities, something security has an opportunity to be part of, from initial planning to execution and implementation.
The focus on foundational security areas allows security programs to ensure they are covering core components of a strong, business-driven and mature security program.
This is vital particularly in regards to the heavy clutter of security technologies available in the marketspace, labeled ‘next gen’ or flush with marketing buzzwords. Attentions may shift and priorities change with leaders becoming sidetracked from securing their core areas of security. There is such thing as buying too much technology too fast, which may solve one problem, but as risks increase and priorities shift, the technology may not keep up, or may require extensive and ongoing operationalization. This results in a drag on resources and a lack of clearly defined outcomes for many technology investments.
Furthermore, as cloud adoption continues as a top priority and businesses transform at rapid paces, security programs must ensure they have strong, solid foundations in order to transform at the same rate as the businesses they support.
Many CISOs’ approach foundational security differently based on their specific business goals and technical requirements. For example, in her profile on pages 6-7, Anne Coulombe, Data Protection Officer, MassMutual says the definition of back to the basics does not mean go back to your tried and true software. Since threat actors are savvy and adaptable, we must adopt a new view to create edges where edges may not have been before or soften some things that may have been hard.
Anne comments, “There is some reality of having to secure the basics, absolutely. However the method in which you do so must include non-conventional controls. Threat actors already understand the basics, and they target a company for monetary gain or disruption purposes. They know what your typical large company is utilizing in terms of services and different software, therefore a layered approach reduces access to both easy and critical asset targets. Think like a threat actor targeting your infrastructure or your data, it helps us come up with methods to trick and catch the bad actors, be creative and be a step ahead as often as possible.”
84% of organizations utilize one or more of the three main information security frameworks. Possessing a strong approach to solidifying alignment to a framework ensures a clear plan and provides a method of tracking maturity.
On page 16, Joe Minieri, CISO, Orvis says, “First, I am ensuring that my security program covers the basic requirements sufficiently. There’s a number of good standards and guidelines available. I start by trying to demonstrate how I measure up to the chosen standards. Often, processes that were implemented years ago may become laxly implemented now. Sometimes we think we’re doing something completely, but not testing for thoroughness. When we test, we find out we’ve been missing things. This is how to identify gaps that need to be filled – either by reinvigorating a process that’s become slack or by finding a new piece of technology that does something we’re missing.”
The most followed security frameworks include:
NIST: The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity is used by 29% of organizations. NIST is a voluntary framework intended primarily for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines and practices.
CIS Controls: The Center for Internet Security Critical Security Controls is used by 32% of organizations and includes a set of 20 actions designed to mitigate the threat of common cyber-attacks.
ISO: Used by 35% of organizations, ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system). Achieving accredited certification to ISO 27001 shows that your company is following information security best practices and delivers an agnostic expert assessment of whether your data is adequately protected.
Program Areas of Focus
While foundational security may mean different things to many CISOs, here are some of the key areas CISOs shared with us as areas of focus:
Identity and Access Management (IAM):
IAM is the process of defining and managing the roles and access privileges of individual users, and the circumstances in which users are granted (or denied) those privileges. To ensure you have a strong IAM program, you must be able to understand what assets you have and who has access. By managing IAM policies, programs and technologies, you may reduce identity-related access risks within your business.
CISOs should holistically look at their IAM program to identify gaps and make holistic plans to close the gaps and increase maturity.
Data Security is a process of protecting files, databases and accounts on a network by adopting a set of controls, applications and techniques that identify the relative importance of different datasets, their sensitivity, regulatory compliance requirements and then applying appropriate protections to secure those resources.
By protecting data from unauthorized access and data corruption, CISOs evaluate and reduce any risk that comes with storing different types of data.
CISOs are focusing on security measures at the application level aiming to protect critical data from external threats by ensuring the security of all software running within the business. This area of security helps identify, fix and prevent security vulnerabilities in any kind of software application.
According to many CISOs we spoke with, checking for security flaws in their applications is essential as threats continue to increase. With rising complexity and sophistication in threats, especially in changing socioeconomic climates, application security becomes more important than ever.
Strong Security Culture
On page 18, Sue Bergamo, CIO and CISO, Episerver, comments, “I think that getting back to the basics right now is around making sure that you don’t have any holes in your environment. We must ensure we are not taking our foot off the pedal with educating our consumers, employees, and spheres of influence on the importance of staying vigilant and focused on protecting ourselves because unfortunately cybercriminals are not on holiday.”
She continues, “I think these devices, laptops, desktops, whatever you have in front of you, are the most vulnerable right now, especially from a work at home standpoint. As a CIO and CISO, I make sure that our endpoints are protected. I have employees all around the globe, I can’t support all routers in everyone’s home. No one can. So you have to make sure that your employees are educated on how to configure a router as best as possible to make sure that it’s encrypted, to make sure that it’s not open and noticed from criminals that are hanging around, and that it’s locked down and protected through a key. That’s just step one. It’s the device, the most vulnerable piece of the puzzle, that’s where things get in.”
By holding employees responsible, they become pivotal components of a secure enterprise. As workforces shift to working remotely, having an embedded security culture means each member of the organization is accountable for meeting specific security protocols and standards.