From Tech to Business-Driven Security

FROM TECH TO BUSINESS-DRIVEN SECURITY

INTRODUCTION:

In today’s digital world, IT security strategy must be transformed into Business-driven security strategy to prevent failure of vital digital transformation projects which will become irrelevant to the business model of an organisation.

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

Information Security Practitioners like security analyst and consultants of an organisation should look at the information security from a business perspective to enforce proper risk management so that it will be useful to prevent the data loss or assets that are most important to the organisation during the time of a threat.

For enforcing the business-driven model of Information Security in an organisation, it is essential to understand and assess the risks for the organisation in real time and mitigating the risk by determining the incidents conclusively by a skilled incident management professional team. In short, it is critical to have a “Risk Management in an Organization” than a regular threat management team.

To create a compelling business-driven security model, a business organisation must identify all of its assets, where they are placed, which assets are more vulnerable to threats and attacks etc., which will help them to categorize their holdings for the useful incident and risk management and mitigation of threats.

WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :

The need for business-driven security arises, mainly due to the evolving threats from various aspects of technology which includes the latest trends like the Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning etc., As these new technologies evolve, the attack vector for these technologies also evolves every day.

For example, IoT devices may have vulnerabilities in firmware level and application level, which an attacker can exploit to take over the IoT device’s control, which gradually increases the threat for the owning organisation.

Another primary reason for the business-driven security model is “The Gap of Grief”. The Gap of Grief is a concept used to refer to void in understanding of how the security vulnerabilities can cause financial and reputation loss problems in an organisation. A significant part of this problem comes with the fact that the CISOs and other information security staffs in general like Penetration testers and consultants failing to translate the challenges and risks in assessing a threat. In cyber-security terms, the problems created by not effectively being able to report security issues to the appropriate people at the right time causes the gap of grief.

Let’s consider an example scenario: The CEO tours television and radio studios in a bid to dispel negative press and to assure the public that their data is safe with the company. This often backfires when it becomes apparent that the CEO has very little knowledge of their company’s cyber-security operations, let alone how the breach occurred or how many customers were affected. This causes problems to the organisation, and the gap occurs.

ASPECTS OF BUSINESS DRIVEN MODEL:

The key element of the business-driven security model is to focus more on detection and assessing the threats then protection as it is a complicated job to carry out. Then there should be a valid defence strategy specifically for all the assets and their vulnerabilities. This defence strategy should have a definite cost to benefit values assigned.

Another aspect of the business-driven security model is, it should include the required and skilled people,  process and technology (Tools and services) for carrying out risk management process.

Organizations need to find out the security gaps between the current security level of their application and infrastructure and where they want to be for an ideal security level for effective risk management. This gap analysis process is one of the key aspects to create a business-driven security model for the organisation. This gap analysis process helps out the security staffs to work on patching the gaps and vulnerabilities effectively.

Management should come up with a proper rank level for all their assets and applications based on the key values of assets. Then it will be easy for the security people to carry out gap analysis on a regular basis based on the risk ratings of assets and applications.

CONCLUSION:

The business-driven security model is more useful for an organisation, not just regarding cost but also regarding proper assessment of threats and risk. If implemented incorrect way, it will become an essential security model to help security people mitigate the threats and security breaches.Through a business-driven approach, BriskInfosec productively orchestrates business driven security with more agile and secure way. Since it relies heavily on the risk levels for an organisation, it will help any organisation to save a lot of money and time which they were spending on the incident and threat management.

Just Talk and Hire us to create Business Driven security solutions for your orgnization

Email – contact@briskinfosec.com 

REFERENCES:

• https://www.scmagazineuk.com/bridging-the-gap-of-grief-with-business-driven-security/article/670551/
• https://www.bankinfosecurity.asia/interviews/business-driven-security-how-works-i-3688
• https://atos.net/wp-content/uploads/2017/05/atos-whitepaper-cyber-security-ready-for-anything.pdf
• https://www.scmagazineuk.com/bridging-the-gap-of-grief-with-business-driven-security/article/670551/

AUTHOR :

Dawood Ansar

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd

Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/

RISK MANAGEMENT: HOW TO CALCULATE RISK?

RISK MANAGEMENT: HOW TO CALCULATE RISK?

INTRODUCTION :

Risk Assessment and Risk Management is done with the calculation of severity and likelihood. Severity is considered based on the level of the disaster which will impact in the future of the organisation. Likelihood is deemed to be found on the way risk which will probably change the organisation. The Risk calculation by analysing how the impact occurred and how it can be mitigated based on the calculation.

It is also a meaningful way to protect organization business, at the same time acquiesce with the law and procedure. It helps to focus on the risks that matters in the organization. In many scenarios, direct measures can be summed up to control risks, which means smooth, cheap and effective measures to ensure your most valuable asset.

In Risk assessment and risk management process, we are going to discuss about the how process is done. Here are the below contents.

1. Identify the hazards

2. How the risk has happened

3. Evaluate the risks

4. Scale for the Likelihood

5. Scale for the Consequence

6. Treating the risk occurred

7. Review Assessment

8. Conclusion

STEP 1 – IDENTIFY THE HAZARDS:

The risk is vital to understand the context in which it exists. It needs to define the relationship between organization and environment that functions in, so that outline of the organization facing risk is evident.

• Look at location, exposure to data;
• Interrogation with the contiguous people;
• To check any recent incidents.

STEP 2 – HOW THE RISK HAS HAPPENED:

This step denotes that to identify the likelihood and consequence of it are occurring. The risk can be of any type such as physical, ethical, financial.

The physical risks are those involving the damage to the organizational assets such the infrastructure equipment, injuries for the employees and also if the condition of the weather is terrible which affects routine services.

The Ethical risks involve potential harm to the reputation and services of the organization. The trust of the organization gets degraded when the data breach or leakage has occurred.

The Financial risks which involve the loss of organizational assets. Any theft of financial breach occurred on the internet.

 STEP 3 – EVALUATE THE RISKS:

Risk evaluation denotes the analysing the likelihood and consequences of the threat which is pointed and making the decision of risk factors were potentially have an effect and needed to be made a priority. The level of the risk is considered based on the likelihood and consequence of the impact.

The Evaluation is done by comparing the impact of the risk found during the analysis process with risk criteria previously impacted by the organization.

The criteria for evaluating the risks

SCALE FOR THE LIKELIHOOD:

Severity	Description
5	Certain: It will probably occur or often impact several times per year
4	Likely: Likely to arise once per year
3	Possible: It will occur five years once the period
2	Unlikely: Disaster occurred once in 10+ years
1	Rare: Barley occurs

SCALE FOR THE CONSEQUENCE:

Severity	Description
5	Catastrophic
4	Major
3	Moderate
2	Minor
1	Negligible

Calculation of Risk priority

Risk=Likelihood * Impact

	IMPACT
LIKELIHOOD		1	2	3	4	5
	1	Very Low	Very Low	Low	Low	Medium
	2	Very Low	Low	Medium	Medium	High
	3	Low	Medium	Medium	High	High
	4	Medium	Medium	High	High	Very High
	5	High	High	Very High	Very High	Very High

STEP 4 – TREATING THE RISK OCCURRED:

Risk Treatment identifies the range of options for treating the risk, preparing the risk treatment plans and applying those plans. Options for treatment need to be proportion to the significance of the risk.

According to the standard, there are various options existed:

• Accepting the risk
• Avoiding the risk
• Reducing the risk
• Transferring the risk
• Retaining the risk
• Financing the risk

STEP 5 – REVIEW ASSESSMENT

Reviewing is an ongoing part of risk management which is the integral step of the process. It is also an essential part of all business functions which need to monitor and treated. Monitoring and reviewing the risk is to make sure that the information which generated by the risk management process is logged, used and maintained.

CONCLUSION :

The Risk Assessment and Mangement procedure above should be implemented by organisations to secure the work activities. However, some other methods contain activities, where the work procedure covers employees undertaking work experience within the organisation. The risk management process which need be implemented in the operations and governance of every organization. However, no ‘one size fits all’ way of embedding the risk management. Preferably the process must be enhanced to fit the size, complexity, industry competition and environmental uncertainty faced by the organization.

Briskinfosec offers a comprehensive approach to manage the risk and compliance in the organization more effectively. Our customized solution meets the policies, procedure, technologies and competencies in several stream of work across the risk management categories of governance, process and technology.

AUTHOR :

Dharmesh B

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd.,

https://www.linkedin.com/in/dharmeshbaskaran/

From Tech to Business-Driven Security

FROM TECH TO BUSINESS-DRIVEN SECURITY

INTRODUCTION:

In today’s digital world, IT security strategy must be transformed into Business-driven security strategy to prevent failure of vital digital transformation projects which will become irrelevant to the business model of an organisation.

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

Information Security Practitioners like security analyst and consultants of an organisation should look at the information security from a business perspective to enforce proper risk management so that it will be useful to prevent the data loss or assets that are most important to the organisation during the time of a threat.

For enforcing the business-driven model of Information Security in an organisation, it is essential to understand and assess the risks for the organisation in real time and mitigating the risk by determining the incidents conclusively by a skilled incident management professional team. In short, it is critical to have a “Risk Management in an Organization” than a regular threat management team.

To create a compelling business-driven security model, a business organisation must identify all of its assets, where they are placed, which assets are more vulnerable to threats and attacks etc., which will help them to categorize their holdings for the useful incident and risk management and mitigation of threats.

WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :

The need for business-driven security arises, mainly due to the evolving threats from various aspects of technology which includes the latest trends like the Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning etc., As these new technologies evolve, the attack vector for these technologies also evolves every day.

For example, IoT devices may have vulnerabilities in firmware level and application level, which an attacker can exploit to take over the IoT device’s control, which gradually increases the threat for the owning organisation.

Another primary reason for the business-driven security model is “The Gap of Grief”. The Gap of Grief is a concept used to refer to void in understanding of how the security vulnerabilities can cause financial and reputation loss problems in an organisation. A significant part of this problem comes with the fact that the CISOs and other information security staffs in general like Penetration testers and consultants failing to translate the challenges and risks in assessing a threat. In cyber-security terms, the problems created by not effectively being able to report security issues to the appropriate people at the right time causes the gap of grief.

Let’s consider an example scenario: The CEO tours television and radio studios in a bid to dispel negative press and to assure the public that their data is safe with the company. This often backfires when it becomes apparent that the CEO has very little knowledge of their company’s cyber-security operations, let alone how the breach occurred or how many customers were affected. This causes problems to the organisation, and the gap occurs.

ASPECTS OF BUSINESS DRIVEN MODEL:

The key element of the business-driven security model is to focus more on detection and assessing the threats then protection as it is a complicated job to carry out. Then there should be a valid defence strategy specifically for all the assets and their vulnerabilities. This defence strategy should have a definite cost to benefit values assigned.

Another aspect of the business-driven security model is, it should include the required and skilled people,  process and technology (Tools and services) for carrying out risk management process.

Organizations need to find out the security gaps between the current security level of their application and infrastructure and where they want to be for an ideal security level for effective risk management. This gap analysis process is one of the key aspects to create a business-driven security model for the organisation. This gap analysis process helps out the security staffs to work on patching the gaps and vulnerabilities effectively.

Management should come up with a proper rank level for all their assets and applications based on the key values of assets. Then it will be easy for the security people to carry out gap analysis on a regular basis based on the risk ratings of assets and applications.

CONCLUSION:

The business-driven security model is more useful for an organisation, not just regarding cost but also regarding proper assessment of threats and risk. If implemented incorrect way, it will become an essential security model to help security people mitigate the threats and security breaches.Through a business-driven approach, BriskInfosec productively orchestrates business driven security with more agile and secure way. Since it relies heavily on the risk levels for an organisation, it will help any organisation to save a lot of money and time which they were spending on the incident and threat management.

Just Talk and Hire us to create Business Driven security solutions for your orgnization

Email – contact@briskinfosec.com 

REFERENCES:

• https://www.scmagazineuk.com/bridging-the-gap-of-grief-with-business-driven-security/article/670551/
• https://www.bankinfosecurity.asia/interviews/business-driven-security-how-works-i-3688
• https://atos.net/wp-content/uploads/2017/05/atos-whitepaper-cyber-security-ready-for-anything.pdf
• https://www.scmagazineuk.com/bridging-the-gap-of-grief-with-business-driven-security/article/670551/

AUTHOR :

Dawood Ansar

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd

Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/