2012 - planning ahead.

2012 is well and truly here. Possibly the end of the world if you believe the Mayan Calendar conspiracy types, but perhaps more likely the end of some businesses (and their employees) if the lessons of 2011 haven't been learned.

Last year felt like a tipping point in the awareness of information security threats in the boardroom. With so many high-profile hacks that saturated the mainstream media, even the most cynical of executives probably caught themselves wondering whether their organization was doing enough to protect their data.

So what sort of questions should business executives be asking themselves? (in no particular order...)


Do you truly understand your critical data and assets?
What is it? Where is it? Who has access to it?
Determine what is critical for your business: is it your e-commerce server? Your customer data? Your R&D data? Once you've identified what it is, you need to understand how valuable it is - try this exercise: imagine you were selling your company tomorrow. How much would it be worth? Now imagine your most critical data asset was not included in the sale - by how much does that decrease the companies' value?
Once you understand what you're trying to protect (any hopefully how valuable it is), you need to locate it - both physically and logically - before you can look at protecting it.

Who is responsible (and accountable!) for protecting that critical data?
If nobody is responsible or accountable, then odds are nobody is protecting your critical data and any data loss or breach will be 'somebody else's problem'. Hopefully by now you have an understanding of the value of your critical data and can see the need to protect it adequately. However identifying and appointing someone is only half the job - do they have the skills and resources required to do the job? Are the objectives of your security program clearly defined? Equally importantly, do they have the authority to make any required changes; to data access, storage location or use? As the expression goes: "if you're responsible for security but don't have the authority to enforce security; then your true role is to take the blame when things go wrong"

How do you measure the effectiveness of that security?
Is your security in the right place? Are the right risks being addressed? Is that security reviewed regularly to ensure it is still adequate? How do you measure that? Have risk appetites for information security-related risks been set?
Many books have been written on measuring security effectiveness, and I doubt there is a single 'right way'. My advice is to measure the things you can control - not the things you cannot. For example, don't measure the number of intrusion attempts from the internet; measure your response metrics from detection to closure.
A clearly defined risk appetite is also critical - not just for information security, but for all of your operational or financial risks. At it's core, Information Security is a practical application of risk management, so having a clear understanding of hown much risk you're willing to tolerate; and under what circumstances; is critical.

Can you detect breaches? Do you know what to do if one occurs?
How mature is your 'security intelligence'? Some organizations have been infiltrated for months before a data breach was detected. Do you have a CERT/CSIRT plan for responding to breaches?
Like Disaster Recovery/BCP or even a fire drill, knowing what to do when something bad happens can stop a bad situation from getting worse. Having a plan alone isn't enough, it must be regularly tested to ensure all participants understand their role and can perform under the pressure of a real security incident where time may be of the essence.

Does your security program meet compliance requirements?
With ever increasing legal requirements does your security program still match up? Have you reviewed your current processes against SOX, HIPPA, PCI-DSS, or any other applicable legislation recently? Are there proposed changes on the horizon that may effect the way you currently protect your data? How often do you review your security, not only against the changing threat landscape, but against changing regulations, technologies and best practice?


Is the company culture 'security aware'?
Information security staff can only do so much. Like a neighbourhood watch, diligent employees are the best defence against information security incidents. Do your employees know not to open random email attachments or how to spot a social engineer? Do they know who to contact if they suspect an incident has occurred? Do they undertake regular security awareness training?


Can your current security practices evolve with the business?
The IT industry is in the middle of one of it's biggest shake-ups in recent history. With the increasing consumerization of IT driving the need for flexibility such as BYOD programs, cloud computing pushing in from all sides and the ever growing need for company data to be highly mobile and accessible, securing your sensitive corporate and customer data has probably never been more challenging. As all of these external pressures aren't going to go away, is your current Information Security program or strategy flexible enough to cope with the changing environment?

There are undoubtedly other important questions you could ask yourself, but if you can answer these few with confidence then you are most likely ahead of some of your peers and on your way to being able to sleep soundly at night.

“By failing to prepare, you are preparing to fail.” - Benjamin Franklin

Killer Virus

While speaking with a friend over Christmas about the pros and cons of quarantining infected PCs from the internet (not a new idea by any means as it was brought up by Microsoft several years ago) and the analogy with diseased humans, one point was that computer viruses haven't killed anyone (yet?).

But might a virus let a killer go free?

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme