No Urge to Safeguard Business Interest - then No Security
For effective management; One needs to understand the higher aspects of business and then dig deeper. Cybersecurity is not about adopting a top notch tech solution to monitor assets, traffic and identities on the network. Its about safeguarding the organizations information assets at all times and achieve the results what the Business has been established for?
How many of us are certain of everything around us. At this point in time; the world as we know has 42 million COVID-19 infected cases where as 9 months ago there were about 500 cases identified. When you step out on a regular day to work: would you have decided that you will wear a particular outfit or drive at about 50 mph on your way. When was the last time you checked percentage body fat? Regardless we continue to live. If you don't know or don't care then it doesn't matter. With the same perspective if we switch the Dimension: put the same you in charge of a Business.....? Then??? still don't care?
The objects around us are always governed by Relativity, Dynamics, Parameters and Variables which heavily influences the probability of the same thing occurring again. You might want to read that again. Can you recall an event which you have repeated exactly as before - 100% ? That's what we are talking about. Simply said; we are good enough to deal with things in real time; Can the same be applied to an Organization doing some Business.
If you are a part of an organization holding some responsibility; This is where you need to see in future and see where are want to go (Vision), the certainty of your plans and decisions [Objectives] and in some cases ready (BCP) for Impact (DRP). Collective efforts have to be drawn from the beginning or whenever you start has to bring in the holistic purview. One way of categorizing them are the 3 below: Mostly likely everything can be fit within these 3 categories.
To define: They are JUST ABOUT EVERYTHING/EVERYONE who is affected by and affecting the Organization and its Business; Splitting into further Layers: Strategic, Tactical, Operational and the Adversaries.
- Strategic level: Influences the Business Decisions. You would have to differentiate between the Core Business and the Support which helps in proper resource allocation and organize priorities. The Impact for each identified risk is assessed at this level to adopt an appropriate response which eventually helps in implementing relevant controls and then monitor their effectiveness.
- Tactical level: Influences ways and means of doing business. The entities at this level constantly evaluate what is [is not] working and improvise to achieve the business goals. Task masters they are, creatively evolve methods and procedures, enhance and optimize the resources thereby delivering what is asked of.
- Operational level: The actual Last Mile Delivery of the Business. Their main role is to execute the procedure and plan of action; feed the challenges and best practices back in to the system which can be improved continuously. You must have heard the phrase: hire the laziest person to do the trickiest job; those are the kind of people required at this level. They would also have the mix of employees and contractors both novice and experienced; hence the procedures have to be well laid out to make everyone understand how the job to be executed.
- Adversaries: Entities which can derail the entire Business Objective; you might want to read the definition of Stakeholders at the top and emphasize on the term "Affecting The Organization"; most important of the categories if delved from deep within; the organization would get to know How exactly to safe guard the company's assets. This category also include employees; inadvertent or malicious they contribute to 50 % of the total threats according to a McKinsey report.
No matter what the business is; there is always an environment which it has to operate in; ranging from the structure and culture of the Organization to the Geo/Economic/Commercial/Political condition the Business is subjected to, has a collective influence and impact on the nature of business being conducted. There arises a need to comply with certain requirements be it regulatory, industry standards/norms and local laws being adjudged in the region all of which should be adhered to without which the business will cease to exist.
- Vision: will describe your risk appetite and tolerance, helps establish a Governance model for visibility in different layers with respect to the other enterprise factors described above will give the Organization an assurance of attaining the business objective. The important aspects in this segment to consider are Risk Appetite and Tolerance associated with an Organizational asset which requires the protection from the adversaries identified; 50% of that protection is required from Insider Threat itself. This fact itself highlights that at the bare minimum any organization must and should have an Identity and Access Management enabled with the Principle of Least Privilege or Zero Trust. Having such a system is not enough; all Identities must go through periodic attestation process to achieve the principle in practice.
- Agreements, Partnerships, Contracts: offer of Employment is an agreement, different entities working together is Partnership, engaging suppliers on the basis of legally binding contracts. Given there are different types parties involved meaning different interests at Risk meaning different approaches to minimize upstream and downstream impacts at different levels. Remember, we are always governed by Relativity, Dynamics, Parameters and Variables: in this context variables are nothing but interests of all parties with different gauges. What we are saying is that something of benefit to one party could be a loss to another one and in the game everyone is trying to minimize their loss and hence the conflict and hence the overall Impact to the Business Objective. To mitigate the legal liability arising out of the contracts and agreements governed by the laws of the land; the terms and conditions engagements have to be well drafted and defined to avoid damages to the Brand image of the organization
Monitoring & Feedback Framework:
If you are driving a car; just imagine driving without knowing which gear you are in, not knowing you are loosing Tyre pressure at the rear and you haven't checked the spare in few months. This is particularly true if you get to the status updates only during Quarterly Business Review - meaning you are 3 month behind the event; and as such if the event is a breach or an asset compromise then by design you get to know only after 3 months that too if discovered. On the other hand, it need not be a security incident; even if the objective is not achieved for the quarter due to a performance attributed to outdated systems causing low business productivity.
- Collaboration Model: How well the business or operational communication/feedback is embedded into the Organizational systems is of utmost important. Most often this aspect is so distributed and disintegrated that by the time the feedback is provided and action initiated its about a month if not lost in transit. From the stakeholders point of view: think about how easy or difficult it is for the adversaries group to communicate [phishing or social engineering] with the rest of the stakeholders. Here is where the need to educate one and all in the cybersecurity practices arises.
- Service Asset and Configuration Management-SACM System: If this doesn't ring any bells: This is how all the assets are inventoried for their legitimacy and tag the associated users and services for their business requirements. If this system is configured well, all the access (Zero Trust) violations and conflicts are highlighted to be resolved providing enough control to the Service or Asset owners. Tools such SIEM, IDS or IPS or Next Gen Firewalls can all be deployed in this process of SACM
- Integrated Risk Management Solutions : This framework helps in translating business risk to the operational risk and then monitor the Risk Response Process frequently along with controls implemented and control performance. This dashboard report feeds into the Executives / Board highlighting the gravity. The Organization can benefit immensely if this is a real-time dashboard.
Though there can be many critical factors which support the Cybersecurity Initiative of an Organization; the aspects highlighted in here provide a high level, realistic attributes which can be included in any governance model along with business KPIs; we can be certain to achieve success in the Cybersecurity domain ultimately catering to the Vision and Growth of the Business; Be sure to tap into all available resources for best guidance and support.