Breaking silos in Network Security using Governance, Risk & Compliance
It is well-established that as new technologies continue to emerge, new threats and motives behind them correspondingly evolve. From script-kiddies and hackers to cyber-terrorism and cyber-crime such as corporate espionage, there is a whole new underworld economy. It is not just iPods and iPads that are on sale on the web, but botnets, zombies and a host of other malware that can be purchased just as easily.
TABB Group forecasted global compliance market spend will rise 7.5% to 8% in 2015, reaching $2.59 billion from $2.43 billion in 2014 and growing at a similar pace for 2016, driven by global regulations that require institutions to expand coverage, enhance existing capabilities and standardize compliance solutions and processes. Risk Management remains the top GRC motivation. Organizations worldwide are continuing to spend huge amounts in protecting their network, regulating data, and sustaining business viability. As each year goes by, Security & Compliance spend is on the rise, so are threats, and tangible and intangible losses on account of them.
Very clearly, the underworld cyber-economy has been working overtime to beat the good guys. The reasons for rising losses due to dynamically changing threats can be many: Resorting to quick-fix solutions, trying to beat the competition in new products and services while adopting or leveraging new technologies, relying solely on technology based controls, increasing business complexities and global operations, security as an afterthought in new development, and acquisitions in IT. One strong reason is that controls and procedures are not based on a sound governance and risk management structure, spanning the entire organization.
Among many different types of controls and procedures, network security controls play a very vital role in protecting an organization. They provide the basis on which others including application controls can be built upon to maintain a more formidable security posture. While it is true that GRC encompasses a whole host of initiatives, this paper focuses on maximizing the effectiveness of network security controls by using an approach that revolves around GRC.
Some of the strategies to break silos in Network Security using the GRC approach:
Get the Big Picture
Knowledge about business requirements for Security, Privacy and Compliance must percolate through all levels of an organization. Though the roles played by a security guard or a custodian ,or even staff who are at the bottom of the hierarchy may be less consequential to the mind’s eye when compared to the role of senior leadership, the link may be easily weakened, if not addressed adequately. Knowledge of the ‘Big Picture’ can significantly lower likelihood of failure in controls and processes, and therefore any negative impact on the business, due to increased awareness about their role and GRC.
For example, knowing about the organization compliance requirements helps build a strong business case for network security controls, especially in the wake of proliferating regulations and customer demands. Better alignment with security and compliance requirements helps justify the budget for additional network security controls, including consolidation such as leveraging key technologies such as Identity & Access Management (IAM).
Knowledge of the big picture can help avoid implementation of controls in silos, and re-inventing the wheel. It underscores the significance of collaboration among key stakeholders such as business, IT, security, risk & audit personnel, and help them connect the dots. Better connected policies and technologies provide for greater business agility and help stay ahead of the competition.
Regulations such as PCI DSS can certainly be used by organizations to narrow the gap between business and compliance alignment. Because PCI DSS helps by being more prescriptive about the control requirements, not just security and compliance professionals but also business process owners can better connect the dots, when compared to other standards. So, a system or firewall administrator can better understand where it will hurt her and the organization the most, and also appreciate her role from an organization perspective. Knowing the network segment where card holder data resides and its sensitivity can help design more effective firewall and intrusion prevention policies.
Create a strong people-link and create a culture of risk, security & compliance
If people form strong links, weaknesses in technological controls and processes can be overcome, whereas the reverse may not always be true given the fact that the insider threat landscape is continuously expanding. Controls and processes can be weakened due to ineptitude or ignorance. The awareness about compliance requirements at all levels will certainly help increase effectiveness of the controls. For example, accidental violations and breaches by Insiders are costing organizations more heavily than external malicious attacks. It’s often been said that an organization’s success is due to its employees. Yet employees, from the entry-level customer service representative to the senior executive, are costing US organizations more than $40 billion a year through theft, according to Corporate Combat Inc., USA. If fraud is included as theft, the figure rises to more than $600 billion!
Articulate business impact: Risk Assessment
Articulation of business impact demands knowledge of business requirements for Security, Privacy & Compliance. This can lead to better alignment of design and operation of controls with business requirements. The key here is to make network security to be in sync with business applications.
For example, Data Classification is one of the building blocks of a successful security strategy. It provides the basis for validating risk impact. Depending upon business requirements for Security & Compliance, it helps build a case for successful implementation of IT general controls such as Information Security (IS), Business Continuity Process (BCP), Network Access Control (NAC), Data Loss Protection (DLP), and Identification & Authentication (I&A).
Consult, Communicate & Collaborate
People are essential at every stage and throughout the GRC journey. Success and effectiveness of GRC is heavily dependent on a common and consistent language across the organization. It relies on consistent and timely communication. GRC should also focus on the culture, with executive leadership leading from the front.
For example, knowledge of PCI-DSS requirements can certainly help in design and testing of the controls needed for applications to protect card holder data. Many of the applications continue to be exploited more by abuse of functionality rather than by specific attack code. Sensitivity, criticality and exposure of data vis-à-vis compliance requirements and consequences can be used in building threat scenarios and use-cases for the applications during design, development and testing.
GRC is a continuous process, and technology is a critical ingredient
GRC is a continuous process affected by a set of people and run by a set of policies, processes and procedures. While technology is an important ingredient of any such process, by itself it cannot meet or sustain compliance. Technology should help in automation, reducing errors, omissions and other accidental violations, and reducing the opportunities for fraud. However technology requires people to create and maintain it, and that scenario is likely to continue for a while. When insider threats rise, controls tend to become more information-centric and less people-centric.
Audit, Analyze and Align
By now Governance, Risk Management, Security and Privacy are a part of a continuous journey in any organization’s initiatives and investments in Compliance. As businesses are always in a state of flux to expand leveraging technology and growing profitability, Risk and Compliance are also in a state of flux to meet the growing threat landscape. Governance will be part of an incomplete loop without a regular feature to audit and improve.
For example, web applications have become the face of organizations. In an effort to reduce overall costs and maximize productivity, organizations continue to take advantage of cutting edge technologies such as Web services, Cloud computing and Virtualization. Increased automation, a mobile workforce, need for multiple access mechanisms, web enabled services, IT driven businesses strategies, and delivery have thrown open the floodgates for new risks.
Aligning the use of these emerging technologies requires a deeper understanding of the underlying business processes that these applications support and automate. When network security controls are designed and built with the knowledge of the applications and the data handled by them, investments in GRC are better complemented.
Every standard & best practice in information security stresses on the fact that people are the greatest assets of all. Ironically, information assets require primarily to be protected from people assets, whether accidental or malicious. GRC should look beyond technology which is likely to be implemented in piece -meal fashion given the business pressures. Unifying IT projects and aligning them with the overall business goals must be regarded as a process, which can be governed and facilitated by GRC.