SBIC – 2013 Trends Report – My Recommendations

The Security for Business Innovation Council recently published a Special Report:Information Security Shake-Up Disruptive Innovations to Test Security’s Mettle in 2013.

The special report states that four “trends will have a big impact on information security programs, revealing significant and growing gaps including a lack of business skills, relationships, supply chain management, and tech-savvy action plans”.  “In 2013, a cluster of disruptive innovations will continue transforming enterprise IT and hammering at the very foundations of information-security strategies”.

Report Highlights

This year promises several major developments in enterprise adoption of:

• Cloud computing: Many organizations are preparing to move more business processes – even mission critical apps and regulated data to the cloud.
• Social media: Based on social media’s new-found powers to influence consumer purchasing behavior, many organizations are elevating it to a strategic endeavor.
• Big data: Evidence of competitive advantage is compelling more organizations to begin big data projects to gain market and business intelligence.
• Mobile devices: Organizations are experiencing a surge of consumer mobile devices accessing corporate networks and storing corporate data.

My Impression

I do agree that cloud computing, social media, big data and mobile devices will ramp up in 2013 for organization’s from a risk perspective and also from a traditional IT implementation standpoint.  All of these topics will require thought leadership and in some cases major changes to the organization’s policies, procedures, and operations.  I don’t want organization’s and senior leaders to get caught up in technology trends when the top organization’s in the world continue to be breached, and in some cases, repeatedly.  My stance for 2013 based on our history is back to the basics with solid programs built on strong foundations with a healthy expectation that organization’s will likely be breached.

If I had to distill my advice down to three topics, they would be:

• Focus on ensuring a strong foundation exists within the enterprise security program because the data tells us that organization’s are still not getting this right.  Only 6% of breached organization’s are self-detecting their own lapse in security controls.
• Assume your organization will be breached and make sure you have a solid process-basedincident response plan and program in place that can be executed with a moments notice.
• Gain better visibility to third party vendors and service providers and the risks they pose to your organization.

A Strong Foundation

The idea behind outlining artifacts of a security program is to help security leaders and executive management do a mental checklist on their program.  The artifacts checklist is a practical way for business leaders to quickly identify any areas where they may be doing well or possibly need improvement.

• Relevant Security Policies, Procedures, Processes
• Board of Directors Approved Roadmap
• Visibility of Relevant Threats
• Cross Functional Governance
• Incident & Breach Response Program
• Management of Third Party Risks
• Information Lifecycle Management
• External Risk Assessments/Audits
• Risk Identification and Acceptance Process
• Documented and Defensible Security Program
• Security Intelligence
• Active Awareness & Education

Incident Response Plan

The idea behind outlining artifacts of a cyber security and privacy program is to help security leaders and executive management perform a simple checklist on their security and privacy program.  I created a maturity scale that you may want to review before reading the rest of the information.  I provide this as an awareness tool so executives will hopefully take a closer look at their organizations and take action as appropriate.  The artifacts checklist is a practical way for business leaders to quickly identify areas where they may be doing well or possibly need improvement.  We know based on thousands of reported breaches that self detection of breaches is very low (approx. 6%) and the fascination with buying more technology is mostly ineffective.  A logical investment by management clearly includes the development and implementation of a highly effective and efficient incident containment and response program.

Operations

• A senior C-level executive (CIO, CTO, CSO, CPO, CAO, etc.) sponsors and leads a formally documented cyber security and privacy program that is empowered to make business decisions.
• Management has documented and published a set of relevant policies regarding information, cyber, and privacy practices and they are clearly communicated to all employee’s and partners on a regular basis.
• For organizations with global operations, management has accounted for the varying cultures in their security and privacy programs.
• There is clear evidence that management supports cyber security and privacy protection as a business priority.
• Management enforces all published security and privacy policies.

Data Security & Protection

• Executive management has made it clear, by their actions, that a cyber security or privacy breach would adversely affect the company, to include their employees and customers, and they are taking a well thought out and relevant set of actions to adequately protect the sensitive information under their control.  The security and privacy programs are well documented and can be defended.
• The organization has an adequate level of human resources with the proper skills, knowledge and experience to protect the sensitive employee and customer information under their control.
• The organization hires and retains knowledgeable cyber security and privacy professionals that are focused on protecting the sensitive information under the control of the organization.
• Management has adequate technology, operational, and managerial controls in place to protect the sensitive information under their control resulting from formal risk assessment and analysis processes by internal and external subject matter experts.
• Management retains qualified external unbiased subject matter experts on a regular basis to review, audit, and assess their cyber security and privacy programs and controls in the context of the threats the organization faces at that point in time.

Communications & Culture

• Employee’s are required to complete routine and relevant training and there is clear evidence they understand how to protect sensitive information.
• Management is transparent about its actions, controls, and programs involving employee and customer sensitive information.
• Management has formed and staffs a formal department for reporting and responding to information security and privacy complaints/breaches, employee and customer complaints/concerns, and identified resources for communicating with regulators as appropriate.
• The organization makes a visible effort to communicate and educate all employees and relevant business partners regarding security and privacy risks.
• Management has set the tone that all relevant risks must be identified via a formal process and a reasonable set of controls should be negotiated within the business to protect sensitive information, intellectual property, and their employee’s and customers.

Third Party Visibility

Third party service providers create blind spots in your security program.  The risks can be partially addressed by extending the topics above, strong foundation, and incident response plan.  A formal third-party risk management program is likely relevant and required for most enterprise organization’s that contain risk tolerances, trigger events, and logic to manage the inevitable risks.

I always welcome your input and comments.

Read More: Tim’s Security Blog