Mature and Secure your Organization

Ask yourselves, “How did we get where we are today?”

Written by Debra Buchanan, Senior Information Security Consultant @ Watchcom

You see, back in the 1990s and early 2000s it was easy - protect your perimeter from unauthorized access. Think of it as the “M&M approach” – the way the candy’s hard coating protects the chocolate center. Physical Security (PhySec) and Information Security (InfoSec) only had to monitor the site’s and network’s entry points because Personnel Security (PerSec) checked the trustworthiness of employees. In other words, our attention was on external threats.

Then, the Insider threat raised its ugly head, with employees selling corporate secrets to other countries and companies. Consequently, we expanded the threat model to include misuse of authorized access, shifting from the “M&M approach” to the “Waffle approach” by adding barriers within what was the chocolate center.

This is also the point where PerSec became more a life-cycle process than a one-time process. Also, the vetting of individuals expanded from a National Security perspective to private organizations, to remediate the risk of corporate / economic espionage.

As part of their digital transformation and continued innovation and technological progress, organizations have since added cloud, edge, and fog-based solutions, Internet of Things (IoT), Robotics, Artificial Intelligence (AI), Machine Learning (ML), Autonomous vehicles (drones) for land, sea, and air, and converged Information Technology (IT) and Operation Technology (OT) architectures.

These major changes have resulted in a more complex threat model and attack surface from external and internal threat perspectives.

PhySec, PerSec, and InfoSec employees are looking everywhere, all at once and with limited budgets, to protect organizational processes and the use of information to support business outcomes.  Additionally, the information given to top management is often too technical and not relatable to their specific, business expertise. It is, then, no surprise that top management:

  • Fails to ask the right questions
  • Makes the wrong decisions
  • Delegates the decision to employees with only technical expertise
  • Accepts middle management’s assurance
  • Pays for the IT “silver bullet” that doesn’t exist

I am certain I am not the only one frustrated from:

  • Watching organizations bleed resources unnecessarily due to low organizational maturity
  • Policies and procedures becoming less of an organizational set of expectations and directions and more of a compliance activity
  • The lack of ownership by top management for business processes and information
  • Risk Management prioritizing technical risks to IT solutions, instead of disruption risks to business processes and unauthorized access to information sets
  • The absence of trained resources to manage PhySec and PerSec in organizations
  • The trivialization of InfoSec - from being responsible for all information regardless of format, to concentrating on IT hardware and software (IT security), and now to watching exit points from the enterprise to the Internet (cybersecurity)
  • The lack of business process-related information to support governance

Result? Organizations are now looking at only a fraction of their risk landscape and doing so badly. How should it be done? The question is easy to answer.

Back to basics

Start by identifying the main “families” of your business processes and their subprocesses. Think about improving their accomplishment using the Capability Maturity Model (CMM) and Capability Maturity Model Integration (CMMI), Six Sigma and Lean Six Sigma, and ISO 9004.

In other words, cut out excess work and add real governance (and not bureaucracy). You will find you’ll get work done faster, better, at a lower cost, and with higher employee satisfaction. This will also support any Agile methodologies you have implemented or want to implement.

To get back to basics, the organization needs to:

  • Understand the information you collect, process, store, and transmit and how it supports business processes. Create / update an inventory of the information sets and assign them an owner.
  • Assign values to information sets according to their criticality to business processes. Assign values / classifications to these information sets according to the impact type of unauthorized disclosure.
  • Prepare policies, procedures, and instructions for marking and handling (including disposal of) critical information identified in the previous steps.
  • Conduct risk assessments and assign owners to each risk, apply controls to remediate unacceptable Inherent Risk ratings, and assess the resulting Residual Risk rating.
  • Prepare a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP).
  • Protect physical and digital exit points to safeguard critical information, using Data Lost Prevention controls.
  • Next, apply the necessary monitoring controls for physical and digital information. When suspicious behavior is identified, trigger the Incident Management procedure to assess the suspicion and act accordingly.
  • Lastly, implement a “Zero Trust” methodology. This requires a cultural shift to risk management, where you assume the organization has been compromised. This will ensure you apply the right number and types of controls to reduce those risks to acceptable levels.

Where things can go wrong

Throughout this process, you will face employees’ aversion to change and possible change-on-change conflicts, including top management’s aversion. You will need to stick to the plan and make sure all efforts move forward. If you think this is a job for a Project Manager, it is not. This is a program, and you´ll need top management to either own this or give their full support.

 Processes are standard, but you will need key employees from each department to help with their departments’ standards. Getting the right employees involved can strain your day-to-day work, so you must prepare for that by training and delegating activities to other senior staff in the department while your key employees are doing the initial work. They should be motivated by the boost this will have to their career paths and overall satisfaction, while your key personnel get time to stretch their minds.

If you think only your IT department or cloud provider is involved in the information inventory exercise, you will miss identifying information. Sure, they will have a lot of information on digital systems, but little to no idea what is in those systems, what processes they support, or what is available in a physical format. It will take serious commitment of key resources from the previous step (e.g., Finance, Legal, HR, Marketing / Sales, Procurement, IT, Production / Manufacturing, Project Management, Security, etc.) to create an information inventory.

Then there is the issue with over / under valuing / classifying that information. Over-classifying information causes the unnecessary expenditure of resources to protect it and decreases your ability to share it. Under-classifying information leaves critical information without necessary protection. I’m not saying you need to get this step perfect. Just understand the pitfalls and be realistic; erring on the side of caution could be a mistake in the long-term scheme of things.

In risk management, you can make another over / under mistake. Either your key resources will be looking for every risk, or underestimate the likelihood or impact of them. If you suspect your resources need help with this step, then we suggest you outsource this vital function to qualified risk expertise. 

Traditionally, organizations attribute risk ownership to the IT department because “IT is responsible for everything digital”. They do own risks related to keeping the system availability and currency, and the implementation of technical controls.

However, they do not own the risk to business processes, or the information-sets needed to complete them. Our recommendation is that you concentrate efforts and resources on business and information risk owners first. If you outsourced your previous step, keep them until you complete this one.

The next step can cause issues if your only concern is the IT-part of your Business Continuity Plan (BCP) / Disaster Recovery Plan (DRP). These are organizational-level documents, not IT-department level. BCP / DRP documents need to be about what can go wrong in all processes and have contingencies in place before they happen. Again, you may need to seek external assistance from experienced BCP and DRP experts.

When choosing controls, equalize the importance of PhySec, PerSec, and InfoSec; not just on the IT- or Cybersecurity aspects. This will ensure that you choose all the necessary controls and give evidence to top management that the controls are reduced to acceptable levels. In addition to controls, you want to add governance processes that give top management assurance the controls are working to reduce risk to business processes, disruption, or information compromise.

The pitfall here is that data needs to be in a business context and not an IT one. In other words, telling them IT either...

  • Blocked 10,000 malicious requests,
  • Quarantined 8,000 emails and attachments containing malware, or...
  • Blocked 15,000 spam or phishing emails from being delivered

...is meaningless to top management.

You may need additional expertise to identify business-related Key Performance Indicators (KPI), Key Risk Indicators (KRI), and Key Control Indicators (KCI) to support governance processes.

There’s a hidden pitfall in the next step - having a disjointed set of policies and procedures for Incident Management. Fraud, Health and Safety, HR, Procurement, Security, IT, etc. have different views of what is an incident and how to respond to it.

You should have one organizational level policy and procedure about incidents and Incident Management.

Each department can write their own instructions based on this and include where they overlap with other Incident Management instructions. This ensures that an incident of fraud through digital means includes not only the people involved in investigating and responding.

A common mistake is lack of consistency. Immature organizations will do on-going assurance and continuous improvement for a while, and then give up to what they believe are more pressing requirements. If you find that this is the case, re-focus on maturing the organization’s overall behavior and review governance processes.

Implementing a Zero Trust methodology is more likely to fail if you have legacy and custom-made systems. These systems have no vendor-support, extended support and upgrades are expensive, and they include customizations where the logic is hard to discover and recreate in Commercial Off-The-Shelf (COTS) solutions.

This means you must make some hard choices about finding another solution to do the job or do away with the system because the information it produces is not needed. However, the results are worth the effort.

Getting it right

It is not easy to get the whole organization involved in a program like this. It will cause you, and the rest of the organization, to question your sanity at times.

But, if you can persevere until the end, the achievements can be significant:

  • The organization is more mature because it is more consistent over time.
  • Consistency leads to predictability which means making decisions about the future is easier for management.
  • There is a higher level of confidence that the business is doing what it needs to do, the right way.
  • It costs less to complete processes, so the cost of being in business is lower.
  • The organization has more left over in budgets, employees have more time available, and initiatives that didn’t make the initial cut can be accomplished.
  • Processes and information are protected according to their value to the business.
  • Compliance is easier to prove and less expensive because it is part of regular, business activities.
  • People are more satisfied because they understand what is expected of them, it is easier to comply, and there is less firefighting.
  • If things go wrong, you have plans in place to respond.
  • Adjustments are made incrementally and less likely to cause change conflicts.
  • You can get certified and prove to your supply chain and clients that you are mature and secure.

Conclusion

Taking an organizational perspective allows top management to focus on the things they were hired to do…manage their respective section of the organization together and provide the CEO with guidance and assurance. If it was easy, this wouldn’t be a global issue.

You can start by following the steps in the Back-to-basics section of this article. If you need help, we have experts to assist in planning and accomplishing these activities.

Yes, this is a journey of a thousand miles, but to reach your destination you need decide to make the journey and take the first step.