According to the 2015 Cost of Data Breach Study by IBM and the Ponemon Institute, “The average total cost of a data breach for 350 companies studied increased from $3.52 to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.” As metrics such as these continue to be released within a multitude of Cybersecurity surveys, organizations must identify ways to exercise proactive diligence around Cybersecurity defense, detection and response. To get some of these actions going, organizations are requesting additional funding and resources to increase the IT security posture around people, processes and technology.
It Starts With Our People
As organizations fall victim to data loss due to reasons such as human error, the upmost attention must be given to the people that are responsible for creation, use, storage and transmission of this data. I believe people-focused cybersecurity training and awareness is just one fundamental action an organization can take to influence decision-making and care within Cybersecurity. From here, a culture of continuous, proactive preparedness and discipline of data management is critical beyond just the minimum actions of training. For example, some organizations are reaching to outside IT security organizations to measure their employees’ Cybersecurity response upon encountering external malicious actions such as a spear phishing attack or a social engineering attempt. To follow these types of proactive measures, organizations must drive top-down leadership, communication and collaboration, emphasizing the importance of Cybersecurity within the organization tied to their business strategy and objectives. As this “hearts and minds” campaign gains momentum, this message must continuously evolve as new, identified threats surface.
Business Processes Need to Be Scrutinized
Through an organizational culture shift where Cybersecurity is paramount, providing the same level of immersion within business processes also has to be performed. Leaders within business units across the enterprise, whether providing a product or service to internal or external customers, must review existing processes where information and data is created, stored, used and transmitted. Whether structured or un-structured data, it is everyone’s responsibility to ensure this data is managed appropriately to minimize risk to the organization and their customers. As these processes are unraveled, here are some important questions I would ask:
- Who has access to the data within the activity?
- Are there defined activity inputs to outputs that impacts other activities?
- What is the sensitivity and classification of the data accessed?
- Who is responsible for managing this process?
- Are there any associated risks with the performance of this process?
From answers provided to these questions, I believe some opportunities for improvement and risk reduction could turn up. A few additional questions…
- Are there optimal ways to execute this task with less risk to the data exposed?
- Could any Cybersecurity practices be implemented during the execution of this activity?
- Do any concerns need to communicated to leadership that require decision-making action around identified risks?
As broken business processes are analyzed and improved, it’s critical for business units to communicate lessons learned and turn them into best practices, so team members can execute these improved, secure processes habitually.
Technology Implemented By Itself Is Not Always The Answer
I’ve worked with organizations in the past that have put in place a specific technology around information security, but not integrating this technology into existing processes or vice versa. The same goes for employees with access to this technology. They did not receive any sort of training on the new technology or were expected to “figure it out”. To make matters worse, I’ve seen new technologies rollout without formal communication to the organization and it had immediate impact on processes being executed, causing some to come to a complete stop.
As new, upgraded or patched information security technologies are deployed within any business environment, IT security leadership needs to ensure there are appropriate communication, awareness and training provided to those affected. This mantra fits right into promoting a culture of optimized information security within any business environment. In addition, business units must communicate with IT security leadership regarding their processes being executed and how these implemented technologies can impact these processes. For example, within healthcare environments, proper planning and execution within application testing and patient processes would fall into this conversation.
But What About Governance?
The planning and execution of organizational governance within Information Security must support and enable the performance of people, processes and technologies throughout the enterprise. First, getting a current state of the governance within the enterprise will allow some visibility on short and long term initiatives that have to be developed to close gaps and vulnerabilities. Referencing Information Systems Audit and Control Association (ISACA) best practices, here are some questions to ask:
- Is our organizational strategy aligned current within our Information Security posture?
- Are we currently assessing risk? How are we currently performing?
- What level of analysis is applied at the process level?
- How can we implement Information Security to increase value to business objectives?
- Do we have the correct resources in place? How are we managing these resources?
- Above all, how are we using metrics to measure performance? Are critical success factors in place?
Answering these questions should paint a picture on how any organization is exercising governance, especially around Cybersecurity. To follow these answers, many organizations I have partnered with in the past are bound by government regulation to ensure Cybersecurity practices are implemented and enables across the enterprise. Beyond regulatory compliance requirements within HIPAA, PCI-DSS, GLBA and SOX, organizational leadership must work to develop and implement best practice controls using frameworks such as COBIT and ISO 27001 in addition to any Authorized Use Policy in place. I’m confident that instilling these principles will provide a foundation to propel an optimized security culture within any enterprise.
Emphasizing Proactive Cybersecurity Detection and Response
According to Gartner, “By 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches — up from less than 10% in 2014.” As we approach our upcoming webinar on June 23rd with my colleague Tim Kelleher, VP of IT Security Services at CenturyLink, we’ll deep dive into this topic, as well as discuss other topics mentioned within this blog. In addition, we’ll discuss some proactive awareness actions that can be taken to ensure proper detection and response measures are in place in the event that a breach does occur. Stay tuned…