I attended the Computing magazine Enterprise Security and Risk Management summit a while ago and thought I should share some of the notes I made during the day.
As always these are pretty raw notes that I took on the day.
Risk assessment and data classification is key to understanding which data must be secured, and how. This is however challenging as the goal posts constantly move. For example is the most sensitive data that which would have the greatest financial impact if lost, or would it be that which is most confidential. Time is often a factor, for example a charity has stated that it’s systems being down have a much greater impact over Christmas rather than during the school holidays; another example is a sales organisation, when a large deal is imminent the data is hugely valuable and sensitive, as soon as the deal is done, the data is public.
Prioritising which data must be protected, and when is key to enabling an intelligent, risk based approach to security.
For me this is such an obvious premise. Without data classification most DLP type tools are of limited value. Yes they can look for obvious things like a credit card number of specific keywords / phrases, but they will miss most things your business considers of value unless you tell them what is of value by classifying it! This is an area many companies seem to fail on, yet classification is critical to enable appropriate handling and controls to be implemented around your data.
Panel discussion: Effective information security risk management – making the business case for investment.
Focus on how to engage and communicate at board level.
Ensure the board understands risk and regulations etc.
Understanding the culture of the organisation and the primary concerns of the board are key. The need for and benefits of security can then be sold to the board in terms of how it will protect / drive / benefit the business and better enable it to achieve its key goals.
Ensure there is a balance between security and usability. Security must enable the business goals in a secure manner, not hinder them in the name of being secure.
Security must understand the business;
– What is the impact to the business from potential issues / threats if they are realised?
– What is the impact to usability / customer experience / profit etc. of implementing controls to remove / mitigate / reduce the risk
– What is the environment the business operates in, use examples of similar businesses or businesses in similar business sectors who have been breached or who have implemented similar security controls
Education and awareness are also key, IT may be able to implement security controls and monitoring, but security and working securely is everyone’s responsibility within the organisation.
Brief comments on supply chain management / security. For medium to large suppliers, contracts are key, for very small suppliers contracts are important, but working more collaboratively is likely more important as they will not be set up for large complex corporate contracts. Fostering long term relationships works better and will provide better outcomes than changing every year just to save cost – this long term approach develops trusted relationships with partners who understand your business.
Information Security Transformation – Matt Denny, Marks and Spencer
Historically M&S was very security focused, but in the traditional castle around all the data. This often made it very hard for people to do their jobs. As an example when he stated staff in the stores couldn’t access the M&S website as it wasn’t approved by security!
Built out a team of experts, some in security and some with a strong retail focus. Worked hard to ensure security is appropriate across the business – what do we really need to protect, how should we enable the business?
Focus on quietening the noise – dealing with issues that hinder peoples work, so conversations with the board weren’t about the issues people complained about.
Driven a culture of accountability and ownership. Current DR manager and PCI / compliance manager had not previous experience in those specific areas. Asked what they needed, training etc. then made accountable once they had what they need.
Some key take away points;
– Know your business needs
– Build strategy, communicate and live by it
– Implement an SDLC and take application security seriously
– Identity and application management doesn’t have to be hard
– Invest in your people…. Invest in your people…..
– Work with people, not companies
– Trust no-one – check and verify
Message Matt presented to the M&S board on infosec security for the next year;
– Prepare for the worst
o Know your weaknesses
o Be able to detect the attacks
o Practice your response
– Stay ahead of the bad guys
o Research and learn
o Invest in your people
o Innovate and deploy effective tech
– Get more from what you have
o Use as much functionality as you can
o Legacy can still be king!
Also of note – First security awareness to whole business was a simple video about staying safe online at home as well as work. General focus on staying safe online; if someone can create a safe Facebook password, they can create a safe work one!
Great talk highlighting how important it is to get the right message to the board, and how simple this message, plus security awareness can be.
Understand your business, the key drivers, invest in people and ensure you get your message to the board in language they care about.