FROM TECH TO BUSINESS-DRIVEN SECURITY
INTRODUCTION:
In today’s digital world, IT security strategy must be transformed into Business-driven security strategy to prevent failure of vital digital transformation projects which will become irrelevant to the business model of an organisation.
TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:
Information Security Practitioners like security analyst and consultants of an organisation should look at the information security from a business perspective to enforce proper risk management so that it will be useful to prevent the data loss or assets that are most important to the organisation during the time of a threat.
For enforcing the business-driven model of Information Security in an organisation, it is essential to understand and assess the risks for the organisation in real time and mitigating the risk by determining the incidents conclusively by a skilled incident management professional team. In short, it is critical to have a “Risk Management in an Organization” than a regular threat management team.
To create a compelling business-driven security model, a business organisation must identify all of its assets, where they are placed, which assets are more vulnerable to threats and attacks etc., which will help them to categorize their holdings for the useful incident and risk management and mitigation of threats.
WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :
The need for business-driven security arises, mainly due to the evolving threats from various aspects of technology which includes the latest trends like the Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning etc., As these new technologies evolve, the attack vector for these technologies also evolves every day.
For example, IoT devices may have vulnerabilities in firmware level and application level, which an attacker can exploit to take over the IoT device’s control, which gradually increases the threat for the owning organisation.
Another primary reason for the business-driven security model is “The Gap of Grief”. The Gap of Grief is a concept used to refer to void in understanding of how the security vulnerabilities can cause financial and reputation loss problems in an organisation. A significant part of this problem comes with the fact that the CISOs and other information security staffs in general like Penetration testers and consultants failing to translate the challenges and risks in assessing a threat. In cyber-security terms, the problems created by not effectively being able to report security issues to the appropriate people at the right time causes the gap of grief.
Let’s consider an example scenario: The CEO tours television and radio studios in a bid to dispel negative press and to assure the public that their data is safe with the company. This often backfires when it becomes apparent that the CEO has very little knowledge of their company’s cyber-security operations, let alone how the breach occurred or how many customers were affected. This causes problems to the organisation, and the gap occurs.
ASPECTS OF BUSINESS DRIVEN MODEL:
The key element of the business-driven security model is to focus more on detection and assessing the threats then protection as it is a complicated job to carry out. Then there should be a valid defence strategy specifically for all the assets and their vulnerabilities. This defence strategy should have a definite cost to benefit values assigned.
Another aspect of the business-driven security model is, it should include the required and skilled people, process and technology (Tools and services) for carrying out risk management process.
Organizations need to find out the security gaps between the current security level of their application and infrastructure and where they want to be for an ideal security level for effective risk management. This gap analysis process is one of the key aspects to create a business-driven security model for the organisation. This gap analysis process helps out the security staffs to work on patching the gaps and vulnerabilities effectively.
Management should come up with a proper rank level for all their assets and applications based on the key values of assets. Then it will be easy for the security people to carry out gap analysis on a regular basis based on the risk ratings of assets and applications.
CONCLUSION:
The business-driven security model is more useful for an organisation, not just regarding cost but also regarding proper assessment of threats and risk. If implemented incorrect way, it will become an essential security model to help security people mitigate the threats and security breaches.Through a business-driven approach, BriskInfosec productively orchestrates business driven security with more agile and secure way. Since it relies heavily on the risk levels for an organisation, it will help any organisation to save a lot of money and time which they were spending on the incident and threat management.
Just Talk and Hire us to create Business Driven security solutions for your orgnization
Email – contact@briskinfosec.com
REFERENCES:
- https://www.scmagazineuk.com/bridging-the-gap-of-grief-with-business-driven-security/article/670551/
- https://www.bankinfosecurity.asia/interviews/business-driven-security-how-works-i-3688
- https://atos.net/wp-content/uploads/2017/05/atos-whitepaper-cyber-security-ready-for-anything.pdf
- https://www.scmagazineuk.com/bridging-the-gap-of-grief-with-business-driven-security/article/670551/
AUTHOR :
Dawood Ansar
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd
Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/
Posts
