No matter the size of an organization, every organization that depends on information technology to conduct any part of its business should have a functioning cybersecurity program. Show
Terms related to the protection of information and information resources have evolved over time as new technology and new concepts have entered the business mainstream. These terms should be thought of as describing interconnected parts of the bigger business risk model (figure 1). Information security is the protection of information, whether in electronic or physical form. Cybersecurity1 incorporates the electronic delivery of information by means of information communication technology (ICT), which encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer and interchange of data and information.2
Regardless of the term used, the objective is to ensure:
Throughout this discussion, the term “cybersecurity” will be used to include all facets of information protection. What Is a Cybersecurity Program?Today’s enterprise landscape is defined by the people, processes and technology used to manage information. That information is the essential element of most organizations. Therefore, the only reasonable approach to sustainable cybersecurity is to involve an organization’s people, processes and technology in the solution. This means that cybersecurity should be perceived as an enterprisewide undertaking—a corporate discipline, not an IT project. As such, cybersecurity should be viewed as a full-fledged business program within the organization’s functional business structure. A plan of action is aimed at accomplishing a clear business objective. It includes details about what work is to be done by whom and when, and what means or resources will be used. In contrast, programs deliver outcomes, but projects deliver outputs. A program approach to cybersecurity does the following:
Cybersecurity is not a project, based on the differences between a project and a program:
“EFFECTIVE PEOPLE, PROCESSES AND TECHNOLOGY ARE ESSENTIAL TO PROTECT INFORMATION, BUT ANTICIPATING CHANGES IN THE NEED FOR AND USE OF INFORMATION SHOULD BE AN EQUAL CONSIDERATION.”In most organizations, information need, use and protection are bounded by three functional areas—business management, legal considerations (regulations and contractual arrangements) and IT (figure 2). Business goals change, new legal requirements involving the use and protection of information emerge, and new technology is frequently adopted to support those changes. Effective people, processes and technology are essential to protect information, but anticipating changes in the need for and use of information should be an equal consideration. With these things in mind, a cybersecurity program should be viewed as an overarching, enterprisewide sequence of three constantly expanding and contracting activities:
It is essential that the cybersecurity program is orchestrated and synchronized with the organization’s business goals, and it must be inherently flexible enough to recognize real-world risk and compliance issues (figure 3). Achieving this synchronization is largely a matter of adopting or defining an inclusive information management control framework and building a working program apparatus based on that framework. In doing so, an organization can recognize information risk and manage that risk in a systematic way. “IT IS ESSENTIAL THAT THE CYBERSECURITY PROGRAM IS ORCHESTRATED AND SYNCHRONIZED WITH THE ORGANIZATION’S BUSINESS GOALS, AND IT MUST BE INHERENTLY FLEXIBLE ENOUGH TO RECOGNIZE REAL-WORLD RISK AND COMPLIANCE ISSUES.”Information Protection Frameworks, Standards and RegulationsThere are multiple frameworks for managing information risk. Every organization is different and has its own needs and, in some cases, the applicable framework may be predetermined by regulation. Alternatively, a compilation of frameworks and best practices can be cobbled together to create a unique framework. Many information security (InfoSec) authorities have released standards over the years that may help enterprises manage their information security risk. Common standards and frameworks, also known as “best practices,” are listed in figure 4. Some of the standards listed in figure 4 are recommendations for security practices; others are complete lists of controls that, in the opinion of the issuer, should be met. For example, in the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 17799:2005, the ISO/IEC defines guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. More specifically, it provides recommendations on the following:
Cybersecurity Program FunctionsAccording to ISACA: For a structured program, cybersecurity governance is the centerpiece from which each of the three activities previously described—prevention, detection and response—must be coordinated. But because critical information is so pervasive in most organizations, other important functions require cybersecurity considerations, too. In addition to core cybersecurity operations, these functions are planning, project support and risk management (figure 5). These functions describe the activities necessary to provide basic cybersecurity coverage. In larger organizations, each function may be represented by a separate team; in smaller enterprises, one individual may be in control of everything. The bottom line is that even identical organizations may design and implement completely different cybersecurity programs, but the basic functions will always be the same. Governance The board of directors (BoD), managers and internal auditors all have significant roles to play in the adoption and implementation of information protection controls. The BoD must provide oversight of information ownership, protection and policies, and it must shape the corporate culture to enable information protection. Executive managers must provide leadership to ensure that information protection efforts are supported and understood across the organization. This includes dedicating sufficient resources so that information management controls are effective. Executive managers must continually review activities for improvement, and they are ultimately responsible for the success of any information protection project. Staff and line managers must be integrated in the design and implementation of all information protection activities, especially information classification (e.g., sensitive or critical). Likewise, they must review and monitor the operation of information protection controls to ensure their appropriateness in the face of changing risk and business requirements. “EVEN IDENTICAL ORGANIZATIONS MAY DESIGN AND IMPLEMENT COMPLETELY DIFFERENT CYBERSECURITY PROGRAMS, BUT THE BASIC FUNCTIONS WILL ALWAYS BE THE SAME.”Every organization must create, communicate and enforce well-defined policies and procedures that reflect a consensus of risk management decisions. Policies can be enforced only if they are up-to-date, relevant to the business and communicated appropriately. Policies, and the procedures developed from them, are the road maps by which the organization uses, moves and stores information. A cybersecurity leadership role must be created, and the individual who accepts that role should be empowered to coordinate, manage, recommend and escalate all issues related to business information risk. This executive must have access to all the resources necessary to interpret applicable laws and regulations governing how the organization controls sensitive information. In addition, this executive must advise the board and senior management as to the appropriate organizational perspective on various information risk issues. Operations Prevention of Threatening Events
Detection of Threatening Events
Response to Threatening Events
Components of a cybersecurity incident response plan typically include the following actions:
Planning
Project Support
“THE RISK MANAGEMENT FUNCTION IS THE ENGINE THAT DRIVES THE CYBERSECURITY PROGRAM.”Risk Management
Managing the Cybersecurity Program Life CycleAn information security program is never static. There will always be areas to improve, new vulnerabilities to correct, policies to update, assessments to conduct, new technology to incorporate and so forth. The security project management component leverages best practices in the areas of operational performance and project management to organize and manage the projects required for the information security program function. This function creates the organization’s project road maps; originates plans of action; develops and builds consensus business cases for projects; and performs project budgeting, monitoring and control. This component also supports resource management through an integrated master plan and schedule.A cybersecurity program life cycle is driven by meeting information security requirements, educating people about their responsibilities and building governance structures to ensure compliance, all while monitoring and reporting progress so that policies or requirements can be adjusted appropriately (figure 6). This approach should be perpetual. That is, based on conclusions derived from security incident analyses or security compliance assessments, policies and procedures should be refined and education and awareness should be adjusted to better focus on current issues. Then the cycle begins again. Managing CybersecurityDecision-making is a cognitive process that defines a course of action to be taken in expectation of achieving a predetermined result. In view of this, a decision cycle is the sequence of steps repeatedly employed to achieve those results while learning about other potential outcomes and making adjustments as needed. Adaptive management is decision-making in the face of uncertainty. It relies on learning as an inherent part of the process to achieve the best outcome based on current knowledge. For example, each of these concepts is easily and routinely applied to IT management. Each relies on the idea that a metric will be produced based on outcome, and a predetermined outcome is envisioned. IT management is outcome-driven. Cybersecurity management is not. “WITHIN CYBERSECURITY, TIME IS THE ONE CRITICAL CONSTANT IN ALL EFFORTS.”Although cybersecurity management should be integrated into enterprisewide decision-making processes, especially when a security project is involved, cybersecurity management must be a time-based decision-making entity. Within cybersecurity, time is the one critical constant in all efforts. For example, the strength of encryption is ultimately based on the amount of time needed to break the code, just as the strength of a safe is measured by the “torch and tool” time needed to penetrate its armor. Similarly, “dwell time” describes how long malware has resided in a system prior to discovery and eradication, thereby estimating the compromise period. Cybersecurity is rarely static. ConclusionA cybersecurity program should be much more than a localized collection of prevention, detection and response activities. To be effective, a cybersecurity program must be dynamic. To be dynamic, the program must be elastic in the sense that information governance is an enterprisewide undertaking. Each functional element of the organization is a stakeholder and, therefore, must share responsibility for information use and protection. Information risk, and thus cyberrisk, is a critical subset of the organization’s overall business risk and therefore cannot be isolated as a technology management issue alone. Endnotes1 National Initiative for Cybersecurity
Careers and Studies, Glossary, “cybersecurity,” USA, https://niccs.us-cert.gov/glossary#C Steve Akridge, CISM, CGEIT, CISSPIs owner and president of BorderHawk LLC, a company specializing in cybersecurity and IT risk management integration. Following a 20-year career with the US Naval Security Group Command, Akridge served as the US State of Georgia’s first chief information security officer and later as a technical director with the US Defense Security Service. After leaving public service, he became a private security consultant to a variety of public- and private-sector enterprises, including Wells Fargo, Coca-Cola, and US state and local government entities in the US States of Alaska, Florida, Montana, Nevada, New York and Texas. He has represented the interests of employers and delivered presentations on a variety of information security-related subjects to groups such as the Partnership for Critical Infrastructure Security (PCIS), the US National Association of State Chief Information Officers (NASCIO), the North American Electric Reliability Council (NERC), the US Federal Public Key Infrastructure Steering Committee and the Southeast Cybercrime Institute. Akridge has taught cybersecurity as an adjunct professor at the graduate level and business at the undergraduate level. Additionally, he has co-authored a variety of articles on information protection issues and has been interviewed or quoted on such issues in several publications. What is the importance of security management in organization?Purpose of Security Management
The goal of security management procedures is to provide a foundation for an organization's cybersecurity strategy. The information and procedures developed as part of security management processes will be used for data classification, risk management, and threat detection and response.
What is organizational security management?As an organizational security management professional, you may be tasked with technical, supervisory, or managerial responsibilities. Organizational security management professionals protect the workplace from theft, workplace violence, crime, and terrorism.
Which of these is the most important priority of the information security organization?The control policy is part of the information security strategy. Compliance with regulatory requirements, where relevant, is important, but ultimately, the safety of people has the highest priority.
What is the term used to describe a company's overall approach to information security?A security policy (also called an information security policy or IT security policy) is a document that spells out the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data.
|