IT Focus Area: security
January 28, 2016
11 Ways to Fortify Your Security Strategy
Editor's Note: Sirius and Forsythe are now one company. Sirius acquired Forsythe in October 2017 and we are pleased to share their exceptional thought leadership with you.
How much time did you spend last year analyzing and improving your information technology (IT) security strategy? Odds are it wasn’t enough.
According to the ISACA 2015 Global Cybersecurity Status Report, nearly half of respondents expected to experience a cyber attack in 2015, yet only 38 percent were actually confident in their organization’s ability to handle an attack properly.
Security breaches are inevitable. The number of global incidents is growing faster than the number of global smartphone users and the global GDP combined!
Traditional security approaches are no longer enough. Organizations are struggling to keep security programs up-to-date and able to support current cyber-security concerns. In fact, a recent report from the Ponemon Institute found that 75 percent of U.S. organizations are not prepared to respond to cyber security attacks.
11 Ways to Fortify Your Security Strategy
So what can you do to advance your security?
Here are 11 ways to fortify your security strategy.
1. Make security a boardroom discussion
Making security a board-level priority is critical in the effort to safeguard data, contain breaches and minimize damage. In an atmosphere of escalating cyber attacks, boards need an accurate picture of the risks their organizations are facing, and security professionals have to find a way to give it to them in a language they understand. But communicating this is more than giving out information—it’s getting through to your audience. You need to convert the technology goals into business language and present it in a meaningful way. With effective communication in the boardroom, you can get past commonly held misconceptions and link IT security to the business value it provides, so that executives have the insight they need to make the right decisions about your company’s security. Read more: How to Start an IT Security Conversation in the Boardroom
2. Don’t get stuck in a rut; innovate your mindset
Too many IT organizations are clinging to old mindsets, like using compliance as a guide to security. This leads IT teams to focus on “checking off boxes” rather than thinking about security strategy—but just as passing a health inspection doesn’t mean a restaurant will serve good food, compliance does not equal security. It’s a minimum requirement and it is not enough to protect against the tactics being used by hackers today. Address the scope and components of a comprehensive approach to security with both traditional and advanced methods, and establish repeatable, measurable programs that focus on what is mission-critical to the business. Read more: Innovating Your Security Mindset
3. Allocate resources intelligently
Too many enterprises build a house of cards by insisting that ITteams manage IT-related risks alone. As competitive pressures consistently push organizations to “do more with less,” the disproportional investment in people and processes that are expected to support change and transformation often increases IT-related risks present in the organization. Changes to the organizational structure itself are likely needed to ensure you have available resources who can identify, articulate and manage IT-related risks throughout the organization. Read more: Program Governance: Are You Organized for Success?
4. Focus efforts on both sides of the perimeter
A successful security strategy doesn’t lose sight of perimeter defenses and core infrastructure security controls. Advance your approach by pairing tried-and-true solutions with the latest-and-greatest technology on both sides of the perimeter. By layering these protections both inside the perimeter—with controls that focus on keeping content safe—and outside, we can gain greater visibility into enterprise environments, and effectively defend data. Read more: Security on Both Sides of the Perimeter
5. Identify and classify data
You can’t protect what you don’t know. Companies that don’t have an effective data classification and/or prioritization program in place struggle with data protection because they don’t know what to focus on.
Separate valuable information that may be targeted from less valuable information. Take into account:
Where the information is stored. Make sure you include all locations such as mobile devices, backup systems and cloud services.
Who has access to it. Understand which employee roles and individuals must have access, as well as those that may have unwarranted access.
Your organization’s process for provisioning and deprovisioning access.
Your partners’ valuable information and what your process is for evaluating your partners’ security.
The ultimate value to an attacker of combined information from your organization and that of a partner. For example, an insurer of critical infrastructure may provide valuable information to an attacker seeking to infiltrate the infrastructure that is being insured.
By using data protection combined with identity and access management tools, you can protect data throughout its lifecycle, and secure each door into the fragmented IT environment. Read more: Your Data Has Left the Building: Are You Protecting It?
6. Realize the value of identity and access management (IAM)
In the absence of the traditional security perimeter, identity is the common denominator. IAM technology can generate the intelligence about identity and access activities you need to increase your understanding of broader security events and advance your overall security posture. With a robust security program that incorporates IAM solutions and services—without significantly increasing cost or risk—you can fill the gaps left by the traditional security perimeter and more effectively protect your enterprise data. Read more: Identity and Access Management: Defining the New Security Perimeter
7. Don’t let data loss prevention (DLP) be an afterthought
DLP identifies, monitors and protects data in use, data in motion on your network, and data at rest in your data storage area or on desktops, laptops, mobile phones or tablets. Through deep content inspection and a contextual security analysis of transactions, DLP systems act as enforcers of data security policies. They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of your confidential information. With a strong DLP strategy, your organization can turn sensitive data into an operational asset and can keep from making the wrong kind of headlines. Read more: 10 Reasons Why Your Organization Needs Data Loss Prevention
8. Reduce mobile device risks
Employees aren't just bringing their mobile devices to the workplace—they're living on them, and cyber attackers are using every avenue available to break into them. Analysts predict that by 2018, 25 percent of corporate data will completely bypass perimeter security and flow directly from mobile devices to the cloud. Chief information security officers (CISOs) and other security executives are finding that the proliferation of mobile devices and cloud services are their biggest barriers to effective breach response. In order to secure the corporate data passing through or residing on mobile devices, it is imperative to develop a comprehensive mobile device strategy. Read More: Take Charge of Your Mobile Security
9. Don't neglect the insider threat
Outsiders such as hackers, organized crime groups, terrorists and nation-states may be the "bad guys" we don’t know and love to hate, but insider threats can be far more costly and damaging. Whether it’s through malicious intent or the inadvertent compromise of data through negligence, lost mobile devices or targeted phishing campaigns, insiders pose a tremendous threat to IT security. With the right approach, you can gather the actionable insider threat intelligence you need to get visibility into the highest-risk users in your environment and the tools to monitor, report on, and investigate them. Read more: Dealing with the Devil You Know: Cyber Security and the Insider Threat
10. Strike a balance between confidentiality, integrity and availability
A well-designed security program strikes a balance between confidentiality, integrity and availability by developing and refining the organization’s ability to manage risk. As with any strategic initiative, the ability to arrive at this level of maturity takes vision, careful planning, executive leadership support and coordination over an extended period of time. If your security program is teetering, start taking the steps toward equilibrium today so that you’re not caught off guard tomorrow. Read more: Balance Confidentiality, Integrity and Availability in a Security Program
11. Prepare to manage the inevitable breach
Most organizations are going to experience security incidents regularly; those that don’t seem to are only avoiding it by being blind to what’s going on.Your ability to maintain a competitive advantage, manage your reputation and retain customers depends on mitigating risk. If you don’t take incident response seriously, you’re setting yourself up for failure. A comprehensive incident response plan will help your organization respond aggressively to an attack, minimize damage and align defenses to mitigate future intrusions. Read more: Incident Response & Cyber Readiness: Are You Prepared for the Inevitable?
Bringing it All Together
Now is a great time to rethink your strategy, but don’t forget that security vigilance is a year-round job. Assess your vulnerabilities continuously so that you can adjust prevention, detection and response efforts, and allocate the right resources to execute your plan.