Information Security (sans.org)– The processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
Cloud Computing, Agile Software Development, Data/Analytics, Information Security. Major developments have stemmed in these areas over the past 3-5 years. Most of the advances have been due to new technology, ideas, ways to store data, open source tools, and more efficient processes. Although Information Security has been advanced by new technology, ideas, tools, and processes; one could argue that the major development within Information Security has been the adoption of the topic itself and the forced commitment to it over the last few years.
The growth in InfoSec has been more reactive; it has been more of an, “Oh snap! This is a thing we need to actually worry about.”
Why is this? Why have CIO’s, CTO’s, and IT Professionals not put the focus on InfoSec that there should have been? We wanted to know the answers, so we asked Shelby Kobes, President of Kobes Security, INC. a few questions…
Why is security becoming more and more important for companies that previously saw it as an afterthought?
As companies develop, so does the capacity and ability to handle information that individuals see as private information. Most companies have attributes and goals like integrity, custom service, and quality. People are starting to realize this overlaps both service and technology. Having a sound InfoSec Program and a system that allows for security integrated in to all aspects of everyday work will help develop the attributes of a successful organization while ensuring security and safety.
For a company that knows they are lacking proper policy/ procedure/ security infrastructure, what’s a good first step?
Find an expert in the field. Procedures are not just a template, although www.sans.org can offer some great guidance there. It is important to understand the domains in your organization and their need for security policies. Example: Having a great password policy is essential, but there are situations where having too difficult of a password can stop business or impede progress. The key is knowing what is important in each domain of your organization. From there you can set policies that have the correct level of justification.
What are some of the hardest things to protect and truly secure in the world of technology?
The most difficult area in all organizations are people. To this day, most data loss is due to social engineering loss and not direct hacking. Removable storage devices, personal phones, BYOD initiatives, and now IOT have created an environment in which it is extremely easy for sensitive data to leave an organization. Businesses must commit to having constant training for their teams. They need to offer updates on what social engineering is, what a phishing looks like and how to develop secure passwords that are difficult to obtain.
Knowing these companies can’t boil the ocean and attack everything at once, if they are taking the first few steps in their journey what should they look to (or focus on) first?
Start with the SEC440: Critical Security Controls: Planning, Implementing and Auditing The first step is to have someone who is the owner of information security, they need to understand the mission of the business and what is critical to success. Once this is in place, having a robust inventory of all assets is a must. You must know what you have, what information is on and where it is located.
Start researching NIST 800-53 or ISO 27000. There are a lot of great controls and documents produced by NIST, OIG, HITRUST, and others that can help organizations set up frameworks and create baseline controls for your organization. Watch your outgoing traffic, this is key to understanding what systems could become infected or have been infected by malware or other nasties.
Can a company ever truly be safe from all the outside threats/ malware/ dangers that are out there?
No. The day may come, but right now there is no such thing as 100% safe. Organizations and people can work to create an environment that will make it difficult for threats to enter/ hack/ or penetrate.
There is a lot you can do to mitigate risk, and bring it to an acceptable level. Some practices will have inherent cyber risk, meaning the risk will be permanent and can only be mitigated to a certain extent.
As mentioned earlier, the single greatest risk you will deal with is social engineering. Constant education, training, and making security a priority in the organization. Having clear links to business and mission objectives will help focus employees and aid them in understanding why they need to comply with security policies.
A lot of companies are looking for help as they make the transition to being more proactive with their approach to Information Security. There are many reasons companies are being forced down this path: they are responsible for more data now than ever, they are more aware of the risks, they’ve seen other companies be breached (Largest Data Breaches in 2016), and now they’ve been deemed responsible and their asses are on the line. With that said, a lot of companies aren’t sure where to start. Companies, CTO’s, CIO’s, and IT Professionals are constantly asking these three questions-
1. How do we start?
• Start by working to understand your environment. Make people responsible (owners) for Information Security. These people need to be able to know the environment inside and out, the business, what’s critical to success, and what might be vulnerable within that.
• Create baseline controls for your organization.
• Know what is going on within your network. Watch the traffic. Understand what risks you are taking on, what systems may be exposed, and which could potentially become infected.
2. What resources are available?
• Work with experts in the field, whether that is someone internal to your team, or someone from the outside.
• There are already current procedures templates on the web, some better than others. www.sans.org can give some great guidance here.
• Although templates may help, they aren’t plug and play, you need to be researching other control documents produces by organizations like NIST, OIG, an HITRUST.
• Classes like SEC440- a class that helps you plan, implement and audit.
• Existing frameworks like the ISO 27000 series and NIST 800-53.
3. Where should we focus?
• Building a solid security program that mirrors the values of the organization.
• Integrating your security policies and procedures enterprise wide
• Mitigating risk. You can never truly be in the clear, but you can mitigate risk and get it to a level that the organization can deem an acceptable level.
• Constant training and educating of your team and people in the organization.
• As Shelby mentioned, “Most data loss is due to physical loss [via people in the organization] and not direct hacking.”
Technology is changing rapidly and evolving daily, and the same goes for the external threats that we are all facing in the cyber world. There will always be a continuation of new and differing threats, vulnerabilities, malware, and malicious content that we are exposed to.
Although there is a lot you can do as you begin to implement security policies and best practices within your organization, or as you continue down this path, the best approach may be the ability to constantly adapt to an ever-changing landscape.