Through our extensive research via our Feats of Strength publication and our Internal Research Department, K logix has successfully collected trends from over 150 distinguished security leaders in a variety of verticals in the security space. In this week's edition of "What CISOs Are Saying," we focus on the topic of foundational security. We recently spoke with CISOs and security leaders who told us one of their top strategic priorities this year was a strong focus on foundational security, or getting back to the security basics. When it comes to ensuring they are covering the core components of a business-driven and mature security program, here's what security leaders are saying:
Foundational security is becoming an increasingly important priority as security leaders navigate a cluttered product marketspace.
Going back to the basics is vital, particularly when it comes to the influx of new security platforms and technologies that are available on the market. Many of them are touting marketing buzzwords such as "next gen," potentially causing attentions to shift and priorities to change. As risks increase, the technology may not keep up, or may require extensive and ongoing operationalization, all of which resulting in a strain on resources and a lack of clearly defined outcomes for technology investments.
Based on their specific business goals and technical requirements, many CISOs approach the topic of foundational security differently. In her profile on pages 6-7 of our latest issue of Feats of Strength, Anne Coulombe, Data Protection Officer at MassMutual says the definition of foundational security does not mean go back to your tried and true software. Since threat actors are savvy and constantly evolving, we must adopt a new view to create edges where edges may not have been before or soften some things that may have been hard.
Anne comments, “There is some reality of having to secure the basics, absolutely. However the method in which you do so must include non-conventional controls. Threat actors already understand the basics, and they target a company for monetary gain or disruption purposes. They know what your typical large company is utilizing in terms of services and different software, therefore a layered approach reduces access to both easy and critical asset targets. Think like a threat actor targeting your infrastructure or your data, it helps us come up with methods to trick and catch the bad actors, be creative and be a step ahead as often as possible.”
Having a solid and well-defined alignment to a framework ensures a clear plan and provides a method of tracking maturity.
84% of organizations utilize one or more of the three main information security frameworks. The most followed security frameworks include:
- NIST: The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity is used by 29% of organizations. NIST is a voluntary framework intended primarily for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines and practices.
- CIS Controls: The Center for Internet Security Critical Security Controls is used by 32% of organizations and includes a set of 20 actions designed to mitigate the threat of common cyber-attacks.
- ISO: Used by 35% of organizations, ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system). Achieving accredited certification to ISO 27001 shows that your company is following information security best practices and delivers an agnostic expert assessment of whether your data is adequately protected.
On page 16 of the latest Feats issue, Joe Minieri, CISO, Orvis says, “First, I am ensuring that my security program covers the basic requirements sufficiently. There’s a number of good standards and guidelines available. I start by trying to demonstrate how I measure up to the chosen standards. Often, processes that were implemented years ago may become laxly implemented now. Sometimes we think we’re doing something completely, but not testing for thoroughness. When we test, we find out we’ve been missing things. This is how to identify gaps that need to be filled – either by reinvigorating a process that’s become slack or by finding a new piece of technology that does something we’re missing.”
Fostering a strong security culture within your organization ensures each employee is accountable for upholding security standards and protocols.
On page 18, Sue Bergamo, CIO and CISO, Episerver, comments, “I think that getting back to the basics right now is around making sure that you don’t have any holes in your environment. We must ensure we are not taking our foot off the pedal with educating our consumers, employees, and spheres of influence on the importance of staying vigilant and focused on protecting ourselves because unfortunately cybercriminals are not on holiday.”
By holding your employees responsible, they become critical elements of a secure organization. As businesses shift to working remotely, having an embedded security culture means each employee is held responsible for the upholding the security goals of the organization. Security belongs to everyone, from the executive staff to the mail-room.
K logix is a business-focused information security consultancy. We help our customers confidently align information security with business goals while reducing risk and increasing maturity. Our experienced team leverages business intelligence and agnostic research to provide innovative, strategic consulting services. If you’re interested in focusing on foundational security we can help through our strategic assessment services. Drop us a line for more information on how we can work together to strengthen your program.
Want more? Read our latest issue of Feats of Strength that highlights Foundational Security and how to get back to the basics in this transformative time.