Just a decade ago, as security professionals, we could talk reasonably about physical security and logical security requiring different approaches. Five years ago, we might have found ourselves having conversations about the blurring lines between the two types of security discipline, and could have easily pointed to aspects of both physical and logical security that crossed over each other.
Today? In organizations that have embraced even the least cutting-edge aspects of operational and information technological advances (consumer IoT, industrial IoT, cloud hosted services, etc.), we can no longer rationally discuss a strictly “physical” or “logical” approach to managing security risks to the enterprise.
Quite simply, in a world where:
- Every camera and door lock in a facility has an individual IP address
- All security investigations must happen in the real and virtual worlds at the same time
- Even the most visibly "physical" of protective measures – security officers – are networked via trackers and devices to provide instant information and communication
… there are few, if any, areas left that do not require attention to a holistic and comprehensive view of all security disciplines at once.
What does this mean for the personnel and management teams that are tasked with providing security in this borderless environment? How do we, as practitioners who may have long histories in a single discipline, protect the organization in a security environment where the risks and mitigation tactics have converged, regardless of whether our organizational structures have evolved to match them?
The answer: Enterprise Security Risk Management (ESRM).
ESRM is a risk management model that allows all functional areas tasked with mitigating security risk to operate under a converged philosophy and approach to more efficiently and effectively mitigate security risk across the enterprise, regardless of the physical or logical nature of the asset, or the vector of the potential threat.
Recognizing the Role
ESRM allows security personnel to work together to effectively protect the enterprise from a broad spectrum of security risks by first recognizing that it is the role of the security organization, at root, to manage security risk in conjunction with the business, and to protect assets from harm in line with business tolerance.
The tasks we perform to mitigate risks might be different, but the process of identifying the assets to be protected, recognizing and prioritizing the risks to those assets, and then mitigating the assets to within acceptable levels of business tolerance, are the same. Take a look at the table below, excerpted from the forthcoming book, Enterprise Security Risk Management: Concepts and Applications (Allen & Loyear, 2017). It shows a quick side-by-side of the kinds of tasks that security groups do, and how they are essentially mitigation responses to the same security risks.
Physical and Logical Security Risk Responses
Because of This
Physical Security Does This
Logical Security Does This
Gates and Fences
Business Continuity Teams
Cyber Response Teams
Security Gap Remediation
Security Risk Management
Business Impact Analysis and Risk Assessments
Business Impact Analysis and Risk Assessments
The overarching risks cannot be effectively mitigated by only a single tactical function. Working together, under a common risk management framework, all security personnel can more effectively protect the enterprise environment against security risk.
The Benefits of ESRM and Cross-Functional Risk Management Collaboration
Managing all security risks in partnership and under a common ESRM approach can bring the enterprise significant gains in efficiency and effectiveness, even with multiple groups participating in the security partnership. A few to note include:
- Unified security awareness messaging
- A partnership approach under an ESRM philosophy allows for the creation of a single, unified, security message that include all facets of security awareness.
- Single security point-of-contact
- When all security teams operate under the risk-management approach with the same defined processes, any security incident can be reported to a single point in the company and escalated and directed as needed to the appropriate response team.
- Operational efficiency
- Employees with different skill sets can more easily collaborate on incident response processes.
- Information sharing enables cross-department cooperation during security investigations that require both physical and logical forensics.
- Streamlined processes save hours and money, allowing diverse security risks to be managed by a single process.
- Consolidated metrics reporting to business management save time and effort.
- Optimized risk profile
- All security risks are identified and managed in an overarching program, making the risk identification and mitigation process more robust and decreasing the potential of overlooked risk.
How Do We Get There?
So, how do we get to the point of converging under a common philosophy, regardless of reporting lines and department structures?
All leaders in the organization with any security responsibilities can align with a risk-management approach by asking themselves:
- Does my team have clear risk management goals aligned with business risk tolerance?
- Does my team work with other department stakeholders in the risk decision-making process?
- Do the members of my team work together with other security teams in situations that cross boundaries of scope?
- Am I communicating to all areas of the business that my role, and the role of all other security teams, is to manage security risks holistically?
When all the security functions in the enterprise choose to embrace a risk management – ESRM – approach, the outcome is that:
- All security teams follow a formal and consistent process for security risk decision-making.
- All security teams follow the same incident response approach, including postmortem investigations and root cause analysis to continually improve the security risk situation of the enterprise.
- All security teams work in partnership with one another, ensuring open communications and collaboration across department lines.
- All security teams have the transparency, independence, authority and scope needed to do their work in the right way.
- All security risks, no matter which team mitigates the risks, are considered part of the holistic security risk management program.
- All security teams, no matter who they report to, understand that security risk management is everyone’s role.
The blockchain’s distributed ledger paradigm is serving as the supporting foundation to some forms of digital transformation, including the utilization of cryptographic virtual currencies (VCs) such as Bitcoin. These virtual currencies are actively utilized around the globe, both within and outside the circuits of formal economies of countries, with important financial implications including increased economic disintermediation, financial inclusion and extended digital pseudo-ecosystems that combine people, business entities, and a new generation of smart connected components.
Not only is the whole fintech industry becoming substantially disrupted by the paradigm due to the ability to move money in a decentralized and secure peer-to-peer model, but virtually all other industries are prone to substitute often bureaucratic procedures for more automated and smarter business practices.
During recent years, global organizations including the United Nations system, Multilateral Development Banks (MDB), International Financial Institutions (IFI), and the World Economic Forum, were actively engaged in their respective roles trying to commensurate the impact of this paradigm in the societies and economies of the world.
The World Economic Forum, through its intellectual debate about the Fourth Industrial/Digital Revolution, as well as one of its Global Future Councils focused on the “Future of Blockchain,” has been vocal and active on the topic, stating that “blockchain is more than just moving money. It has the potential to transform our lives, and to make the world a more efficient, frictionless place. The number of people around the world living in either broken systems or entirely corrupt systems is staggering. If done right, blockchain could positively reform entire systems.”
In January 2016, the International Monetary Fund released a first-of-its kind professional paper called “Virtual Currencies and Beyond: Initial Considerations.” This so-called staff discussion note gave a serious consideration to how new technologies are driving transformational changes in the global economy, including the emerging utilization of virtual currencies created as private sector systems that, in many cases, facilitate peer-to-peer exchange, bypassing traditional central clearinghouses. The paper also notes that “VCs offer many potential benefits, including greater speed and efficiency in making payments and transfers—particularly across borders––and ultimately promoting financial inclusion. At the same time, VCs pose considerable risks as potential vehicles for money laundering, terrorist financing, tax evasion and fraud.”
In a separate article, the IMF explores the topic of how “The Internet of Trust” is transforming the financial sector. Per its proponents, Bitcoin’s blockchain technology can be used to transform the financial sector fundamentally, for example by reducing the settlement time for securities transactions. With faster settlement, less money needs to be set aside to cover credit and settlement risks—just as collateral is not needed for a cash transaction.
The Inter-American Development Bank (IADB), the main regional development institution for Latin American and Caribbean countries, in March 2017 released the discussion paper “Digital Finance: New Times, New Challenges, New Opportunities,” explaining the financial implications of distributed ledger technologies applied in the region and around the World. The paper explains that “there is growing consensus in the financial services industry that distributed ledger technology (DLT), also known as blockchain, might just be the answer to the need of more efficient management of collateral [risks], resulting in more firms accessing credit, as well as … freeing up intermediaries’ capital for lending, and potential effects on SMEs’ direct and indirect access to multiple ways of credit.”
Now, coming back to the question of what implications and motivations this new paradigm may have in our professional life, I believe that a new generation of the IT governance, oversight and assurance professionals are called to play an elevated role in future ecosystems, economies and societies.
Similar to other emerging topics such as the advanced application of artificial intelligence (AI), big data, cloud computing, and Internet of Things (IoT), this must occur only by providing an unprecedented new level of verification and trust required by the stakeholders to sustain a paradigm that intends to be intrinsically resilient and secure by keeping distributed copies of the thematic ledger supported worldwide, using cryptographic proofs of data integrity and providing tamper-proof ledger entries.
Extraordinary challenges and opportunities are ahead for the millennials’ generation of assurance professionals, when called to provide both holistic and transactional assurance on increasingly complex digital ecosystems that involve people, processes, systems, as well as connected physical entities.
But the level of disruption to the assurance profession may not stop there. As another report, "Here's Why Robots could be the Future of Finance" from the World Economic Forum pointed, the traditional tasks of human audit work are also highly subject to substitution by artificial intelligence interventions. Meanwhile, some audit tasks may be better assisted by this advanced application of technology. We, the auditors, will face the challenge of providing assurance to our stakeholders that these algorithms are effectively well designed, implemented, deployed and operating as expected.
In our profession, traditional auditing will remain necessary in many parts of the globe and in many traditional businesses environment for a while. However, and not less importantly, a new generation of millennial auditors will need to raise the bar by providing increasingly complex assurance services in more agile business environments and in support of upcoming digital transformations. A different professional audit mindset and additional expertise will be required to satisfy the expectations of stakeholders and business owners in this new world.
Having had the privilege to have visited a number of cities throughout the world, I have learned that Chengdu is not Mexico City, Brussels is not Houston, Abuja is not Melbourne, and Johannesburg is not Dubai. That’s because the heart of every city beats differently. Each has its own character, its own vibe, and its own goals for assuring the best standard of living possible for its citizens and for the visiting public.
Likewise, every city is evolving at its own particular pace, though all are aligned to a common principle of modernizing their infrastructure services – public transportation, utilities, health care – by leveraging technology and law enforcement in “smart” ways to improve quality of life while assuring operational efficiency, stability and security. As noted by Eduardo Paes, the former mayor of Rio de Janeiro, “Smart cities are those who manage their resources efficiently. Traffic, public services and disaster response should be operated intelligently in order to minimize costs, reduce carbon emissions and increase performance.”
The term “smart cities” has been used recently as a label for those seemingly few cities of the world that are consciously embedding technology into all aspects of city planning. However, with current forecasts estimating close to 50 “megacities” housing over 10 million people and about two-thirds of the world’s population living in urban environments by 2050, the mindset must shift to think of the ‘smartness’ of any urban center as a non-negotiable element.
Many urban centers are claiming to be ahead of the “smart” curve though, in actuality, they are finding themselves handcuffed by custom systems that are not interconnected, interoperable, portable, extensible nor efficient in their operations, maintenance, and overall cost-effectiveness. Overcoming this challenge is burdensome, especially when paired with pressure to make progress that can unintentionally lead to chaos as concurrent initiatives are deployed, leading to uncoordinated solutions that can be misaligned to the intended outcomes. No wonder city planners are not sleeping at night.
The diagnosis is seemingly familiar, and not unlike the challenges many enterprises are facing with what are currently referred to as digital transformation projects. What's different for the urban center, however, is the scale of the complexity. The complexity is not just a question of technology deployment, but also taking into consideration economic, political and social issues that shape a city’s being. It’s an extreme case of a “system of systems of systems and more systems” problem, for which the only “smart” solution is a universal consensus-based governance framework.
Technology companies like Cisco and AT&T have developed their own frameworks, driven by their product strategies, especially for IoT. Standards-developing organizations such as ISO, IEC, ITU, IEEE and a number of others are facilitating the development of new standards related to specific pieces of the overall urban development challenges. Recognizing the fragmented (yet well-intended) and disparate approaches, NIST has launched a working group intended to converge these groups and their respective knowledge assets under the guise of a Smart City Framework.
The key to the success of any framework is its acceptance by universal consensus. This means the framework is created, maintained and endorsed by the professional community for the benefit of the community itself. The framework provides guidance on how to carry out the work aligned to desired outcomes in conjunction with tools that enable stakeholders to self-assess, benchmark, and measure capability maturity and progress toward the goals. This is indicative of the 20-plus year success experienced by ISACA's globally recognized COBIT framework for the governance and management of enterprise technology, which itself has the potential to be foundational for smart urban initiatives.
For now, city planners find themselves challenged across a wide spectrum of issues, ranging from technology to compliance. As members of the technology community, we need to help them by leveraging our knowledge of technology governance frameworks and their development and deployment, our holistic systems thinking and problem-solving capabilities, and our innate ability to assess and mitigate risk to inspire the confidence necessary to enable innovations that can evolve the urban environment by leveraging the best technology has to offer.
Our work has never been more important. And because we recognize the pervasive nature of technology and understand how to leverage its positive potential, I am confident that we can contribute enough to the evolution of so-called “smart cities” that the term “smart” will eventually be dropped from the lexicon. That in itself would be a great accomplishment.
Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.
Editor’s note: Vicki Gavin, CRISC, MBCI, is compliance director, and head of business continuity, cyber security and data privacy for The Economist. Gavin, based in London, recently visited with ISACA Now to discuss how her areas of expertise are being affected by the fast-changing technology and regulatory landscape. The following is an edited transcript.
ISACA Now: At InfoSec Europe last month, you were part of a panel that discussed building an agile team for the future. What were the major takeaways for you?
For me, the most significant takeaway was the need to do things differently. Current hiring processes are designed to exclude candidates. We need to get smarter about including candidates from a variety of backgrounds by systematically removing bias from role profiles, job descriptions and advertisements, screening and interviewing.
ISACA Now: How critical is it for organizations to have tech-savvy boards in terms of fostering strong governance?
I do not think the board needs to be tech-savvy. Tech awareness is sufficient. Security professionals need to become more business aware to communicate effectively with the board.
ISACA Now: What are some shortcuts that organizations tend to take in their governance that often come back to haunt them?
I think one of the biggest IT governance mistakes made by technology professionals is the assumption that risk is to be eliminated. Risk is to be managed; the key is to determine what level of risk your organization is willing to accept.
ISACA Now: What are the biggest keys to successful business continuity planning?
The value in planning is the process, not the plan. As Mike Tyson said, “Everybody has a plan until they get punched in the face.” The same is true for BCPs. The process, on the other hand, done properly, ensures a common risk appetite and approach to recovery when the time comes.
ISACA Now: Which emerging technologies present the greatest challenges from a compliance standpoint?
All of them. All change is disruptive. The challenge is to balance the risks and benefits of compliance.
ISACA Now: As we move closer to GDPR taking effect next year, are you sensing a greater sense of calm or of anxiety from your peers?
From my peers, anxiety. From my business, calm. We started on our GDPR journey about a year ago and will be ready by November 2017, giving us plenty of time to bed in new processes.
In today’s competitive environment, enterprises are under enormous pressure to focus valuable resources on initiatives that provide value. The inherent issue with most approaches is that the methods used to determine organizational priorities are often flawed by focusing on compliance as a primary navigation aid. A “compliance only” focused program can have a huge effect on performance. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation.
A solution to this narrow approach is to prioritize efforts using multiple perspectives to offer a balanced approach to determining priorities, allocating resources and, ultimately, providing value. As in travel, you need to have a good fix on your coordinates – location, altitude, heading and speed – before determining future moves. Where most companies go wrong is in choosing only one of these perspectives. Just like using a GPS to help you navigate, you should use more than one guidance system to help you focus efforts.
Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial – hence, the GPS analogy. GPS satellites help locate a position on the ground based on their time and position. The GPS receiver communicates with multiple satellites, and therefore determines a precise location on the ground. Decisions around funding, assurance, improvements and compliance are all areas in an enterprise that require resources, and should not be determined with only one signal. The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.
Using these multiple guidance systems will drastically improve your chances of success. These four GPS signals can include: 1) Goals cascading, 2) risk scenarios, 3) pain points, and 4) regulatory and compliance (see figure 1).
Figure 1—Using Multiple Perspectives to Prioritize Efforts
Guidance System 1: Cascading goals
I believe that one of the best-kept secrets in our industry today is the goals cascade. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals and enabler goals. The enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can map that goal through the cascade and determine which processes are critical to its success. The model is already done for you in COBIT, where there is a set of tables that map each of these levels.
Guidance System 2: Risk scenarios
An IT risk scenario describes IT-related events that could lead to a business impact. COBIT 5 for Risk contains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities and their effects on overall business objectives. This process results in the risk register and provides valuable information for informed decision-making. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points or guide mitigation responses.
Guidance System 3: Pain points
Pain points are those areas that need little effort to identify. Use pain points as perspectives from which efforts toward the governance of enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and create a sense of urgency and support. The COBIT 5 Implementation Guide identifies some common pain points associated with enterprise IT and maps these pain points to specific processes in COBIT.
Guidance System 4: Legal/regulatory/compliance requirements
No organization can be 100 percent compliant with everything. Synchronize this with your risk management process to determine the right response to each requirement. Some requirements are legally required and must be adhered to, but what level of adherence is the most appropriate?
Aligning your satellites
Each of these guidance systems should result in a very clear list of high-interest areas. Devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified. These results can assist in scoping assurance activities, allocating and prioritizing resources, and ensuring business/IT alignment.
The enterprise exists to create value for its stakeholders. Realizing benefits while optimizing risks and resources requires more than one perspective, or ‘guidance system,’ to fully understand what is required. This post has identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.
Editor’s note: Mark Thomas will deliver a keynote session on using multiple guidance systems for the governance of enterprise IT at the GRC Conference 16-18 August in Dallas, Texas, USA.
Our traditional business model as we known is at a crossroads considering the emergence of the Internet of Things (IoT), artificial intelligence and blockchain. We live in an era of disruption, and we need to redefine our business models.
We need to accept that almost every sector — from banking and utilities to entertainment and agriculture — can expect to experience major business model disruption as blockchain technologies take hold.
Because blockchain technology originated as the core mechanism of the bitcoin digital currency, there is a widespread belief that its potential is greatest in – or even limited to — the financial sector, but a different reality is unfolding.
Blockchain extends to the core of commercial activity, of wealth creation, and goes to the heart of innovation and what makes an economy work. It raises the prospect of changing the fundamental structure of the corporation, of how we orchestrate capability in society, innovate to create goods and services, and engage with the rest of the world. There are far-reaching business models already emerging that are creating ripples on our traditional models, far from the known Internet we use today.
Musicians will be able to reclaim much of the value they cede to record companies by offering their music directly to fans, movie-makers and broadcasters; individual investors will be able to deal directly with companies they hold shares in rather than go through stock markets; and the exclusive use of cars will start to dwindle as such assets are shared over peer-to-peer networks, just to name a few potential applications.
Further, in five to 10 years, the financial services industry will be unrecognizable.
Banks have a simple business model: they move value, they store value, they lend value, they exchange value, they account for value, they attest to value. Every one of those could be disrupted profoundly by this technology.
Blockchain has made the whole financial services industry sit up and pay attention. But it’s not just the threat – there’s a bigger opportunity if you look closely enough.
Japan’s Mizuho Bank together with technology company Fujitsu have conducted an operational trial focused on cross-border securities transaction settlements, which would ensure it is practically impossible for anyone to tamper with transaction histories, as well as shortening the processing time for cross-border securities transactions from the current three days to same-day settlement.
Such distributed disruption moves will have a liberating effect on consumers and small businesses. A customer tapping his or her card in a small retail store would find a blockchain-based settlement would be instant rather than taking several days to occur, as the process simply invokes a change in the blockchain distributed ledger.
One-third of the revenue of accounting companies is derived from audits. But with blockchains, you not only have double-entry accounting — credit and debit — but automatically make a third entry in the blockchain, a time-stamped record of every transaction that has occurred. So rather than an expensive annual audit, it could be instant and real-time. That would in turn free up the resources of forward-thinking accounting companies to invest in more high-end, value-added activities.
As we take stock of the global landscape, we can see every industry, in every major economy, is starting to see big disruptions occur.
The concept of hyper ledger, as we sometimes call blockchain, can provide answers to issues of transparency and so much more. Nevertheless, as with all technology, we need to be wary of how we design the solutions. We will have unequivocal risks, as with the introduction of virtually any technology, but the implementation of blockchain can revolutionize business activities for enterprises across many industries. Designing a blockchain solution with the right controls in place can easily transform many of the models we have come to accept.
Editor’s note: For more ISACA resources regarding blockchain – including a new research report, tech brief and e-learning course – visit www.isaca.org/blockchain.
During the risk analysis process, information is availed through internal reports, external reports, surveys and face-to-face meetings during risk workshops. The amount of information to be analyzed depends on the risk maturity of an organization, as some risk managers continuously collect information that they deem relevant to improving the risk process. The question is, to what level is the information used objectively? How much reliance is placed on what we remember or what we deem as being important?
Behavioral physiologists believe the amount of information we remember has an impact on how we analyze and rate risks. Prior to analyzing risks, we identify events or threats that can exploit vulnerabilities identified in organizations’ processes and systems. It is during the “What can go wrong?” stage that we need to be careful. In his book “Thinking, Fast and Slow,” Daniel Kahneman notes three factors that can manipulate our minds:
A salient event. Get a team of executives and ask them what is an important asset to their organization. I bet you will get different responses. The level of importance on organizational assets differs, and this bears the most influence on the agenda each executive is pushing. As part of environmental reviews, I have come across some organizations (especially small enterprises) that do not carry out fire drills or train employees on any natural disasters. When reviewing risk registers of such organizations, it is normally not surprising to note that there are no risks pertaining to employees in those organizations.
How were employees’ lives not regarded as critical? At the time of the assessment, memory on what is important shifted to assets management. Risk managers should be mindful that what is deemed important influences which assets are identified as vulnerable, subsequently shaping the risk profile of the organization.
A dramatic event. The majority of risk managers come to the table with a list of serious events for a period, audit reports and market intelligence information. Some events tend to come to mind more quickly than others, especially political events over which the organization does not have control. Deciding which event might translate to one asset being more vulnerable than another can be influenced heavily by recent media or internal incident reports if these reports are not scrutinized carefully.
Personal experiences. We can never divorce our personal experiences from the analysis process. It is indeed every risk manager’s dream that some of the employees can divorce themselves from such during risk workshops, but risk managers also are guilty of bringing along databases of risks they have been compiling for years from different organizations, particularly so for consulting risk managers, who tend to influence their organizations to focus on the risks they identified in similar organizations. However, strategies, policies, processes, organizational structure and culture all change the risk landscape of every organization.
Kahneman further contends that effort is required to reconsider impressions and intuitions by asking questions. Simply because a risk has been identified in an audit report does not mean the risk manager needs to include it in his risk register. Simply because a charismatic executive says everything in his department is on fire does not mean every asset in that department is critical. Risk managers need to develop questions that they can ask to eliminate natural bias. Every report’s merits should be verified.
Without nullifying the importance of the systematic approach risk managers take to identify and analyze risks, it is equally important that risk managers take the cognitive human element into account to develop objective lists of risks and ratings.
It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.
Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.
Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.
The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:
Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.
Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.
Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.
Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.
Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:
- An executive commitment and endorsement of the incident response initiative
- An Incident Response Team (IRT) comprised of members with varying areas of expertise ranging from IT to legal and communications
- A defined communication plan
- A plan to support, maintain and test the incident response plan on a regular basis
- An organized, structured approach that clearly defines the roles and responsibilities for all parties involved
- A clearly stated definition of what an incident means to your organization and how incident response aligns with existing organizational security efforts, such as business continuity and disaster recovery plans
- A well-defined plan on how to monitor and analyze potential threats to the environment
- An operation plan that defines how incidents are declared and initial steps for information gathering
- A post-incident process for lessons learned and process improvement
A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).
Adults don’t really like new ideas, and while cyber risk may have been born around the time of the first mainframes, it can still feel new today. CEB reported last month that 66 percent of business leaders don’t understand the cyber security information that goes to the board. This isn’t a failure of business leaders but of the messages they’re receiving.
While children consume and learn voraciously, adults struggle with finding context, skepticism, and social conditioning. Overcoming these cognitive biases to drive your company toward more risk-savvy behavior means you’re going to have to deliver a pretty clear and effective message. Keep in mind these three rules of thumb to improve how well your risk reporting is understood.
One message at a time. Yes, IT risk is complicated and often there are many steps between a threat and the preventative actions needed to keep them from happening. Keep those connections in your appendix for later questions. Instead, focus your reports on the actions needed to be taken. Don’t contrast vulnerability scans with failures in change management controls on the same page. The risk is different, the response is different, and you’re inviting confusion.
A single message has another benefit: if you are only trying to change one behavior, you’ll have a much easier time tracking the effectiveness of your message and adjusting in the future.
Risks become consequences. A focus on threat vectors, incidents and trends is good for figuring out where controls are weak or strong, but sometimes bad for grounding the danger in something meaningful for a non-cyber savvy professional.
Focus on the consequences of the risks being reported. Phishing simulations may show an increase of management clicking on suspicious links, but other than potentially receiving a scolding, why should people care? Link phishing to a particularly painful data loss event, or laptops held ransom, and include recovery time as well. There may be no effective recovery from ransomware, and reparations for exposed personal information could cost millions and take years. The Anthem data breach from February 2015 is still in the courts.
Consider your audience. One kind of message will rarely work for everyone. Not only will managers, VPs and executives all have different perspectives on the world and the work that IT security is doing, but they all have different backgrounds and interests.
Take a look at your audience. Will executive management be making decisions about change control check gates? Generally not, so your one message to them shouldn’t be to get them to improve the sign-off process in application development. Maybe the better message is that investments in release management software haven’t been effective in reducing production failures.
Tailoring risk reporting to the people receiving it is the best way to increase the odds that your message is received. It’s cumbersome, but this is the heart of risk management: to reveal connections between sometimes esoteric events and business opportunities so that leaders can make the right calls at the right time.
Editor’s note: Adam Leigh will present on “Consequences That Matter – IT Risk” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.
More than four in five global IT professionals (82 percent) see vulnerabilities in Internet of Things (IoT) devices as significant security concerns for organizations.
Those concerns, highlighted in ISACA’s annual IT Risk/Reward Barometer, are reflective of insufficient security measures by IoT device manufacturers.
One of the main culprits is IoT devices running old versions of Linux – sometimes as much as 10 years old. This happens for a variety of reasons, such as the version becoming outdated while the device is in development, or manufacturers building on top of existing devices and sticking with the old software to speed up development time. The result is devices hitting the market with easily anticipated vulnerabilities.
IoT manufacturers also need to make sure their devices have the capability to automatically and reliably run security updates. This should be considered a must-have feature by consumers and businesses when making their purchases. If the devices are able to be updated, without it being a time-intensive process for users, security threats can be addressed much more quickly and effectively.
Making some of these adjustments will be critical, or trust in IoT devices’ security among professionals and consumers will be further damaged, given the threat landscape in 2017 and beyond. The proliferation of IoT devices will result in escalating instances of DDoS attacks this year, according to Deloitte – potentially along the lines of the massive Mirai DDoS attack that used infected IoT devices to cause widespread disruption in October.
That attack, while certainly a wakeup call to some device manufacturers, might not have resonated with many consumers, who did not see a direct impact on their lives, even if their own device was infected and part of the attack. But there is little doubt more and more individuals will be affected by IoT security shortcomings as the devices – and the related threats – grow at a staggering rate.
That could include the emergence of IoT ransomware threats. Ransomware exploded on PCs in 2016, resulting in estimates of about US $1 billion in payments. Given how lucrative the attacks have proven to be, it’s not much of a stretch to anticipate that criminals will explore how they can target IoT devices in their ransomware schemes. For example, imagine a smart lock on your home or car that won’t open until you pay a small ransom. From a criminal perspective, ransomware attacks on IoT devices could make for an efficient strike, with the possibility of holding customers’ device or data hostage and extracting money from the same individual or organization in a single step.
As attacks on IoT devices continue to evolve, none of us will be able to say we didn’t see them coming – 80 percent of professional respondents in the Risk-Reward Barometer survey expressed a high or medium belief in the likelihood of an organization being breached through an IoT device. Enterprises can use network segmentation to isolate IoT devices from their production network. Consumers also recognize the security threats; more than 75 percent of consumer respondents in each of five regions surveyed – Australia, India, Singapore, the US and the UK – expressed concern that augmented reality enhancements could make their IoT devices more vulnerable to a breach. Home IoT network security devices like Dojo by BullGuard, CUJU, and BitDefender BOX can help consumers protect their IoT devices from cyber attacks – some even have enterprise-like network segmentation capability.
Connected devices are becoming increasingly prominent in our daily lives. It is up to consumers and organizations to send the message to device manufacturers that insufficient security design will be a deal-breaker when it is time to consider a purchase.