While digital technology has transformed the way organisations operate, it has led to a significant rise in organisational risk. The growth in mobile, flexible and internet working and use of a wide range of endpoint devices, combined with increased software collaboration and reliance on external organisations and partners, have increased the attack surface.
Perimeter security architecture has become increasingly irrelevant, and it is no longer enough to secure traffic originating from data centres. Castle and moat (or hub/spoke) architecture needs to be re-examined, along with the relevance of MPLS connectivity, cloud firewalls and VPNs.
Digital technologies also create new threat vectors which those with malicious intent will use to try to infiltrate an organisation. From malware to phishing attacks and social engineering, they will continually develop new threats to its security defences.
In a digital world, security is no longer an IT risk but a business risk. It is more important than ever to provide assurance that data is secure, maintain customer trust and protect your organisation’s reputation – all while continuing to drive business growth, increase customer satisfaction, improve productivity and keep costs down.
About the author
Neville Armstrong is Service Strategist at Fordway Solutions.
Assessing risk appetite
To address the new risks, IT leaders must rethink their approach to security, considering behavioural and pattern-based security and zero trust networks. To do this, they must first understand the risks they face. They need to:
- Assess the impact of the new risks on their organisation
- Develop an appropriate risk strategy to protect their organisation without stifling innovation and operational performance
- Embed this in governance and compliance policies which can continually adapt as technology and associated threats change.
Assessing risk begins with an understanding of the organisation’s Risk Profile. This comprises the threats it faces, both internal and external; if the organisation and its systems are vulnerable to those threats; and the impact if the vulnerability is realised. Putting values to these attributes and multiplying them together enables IT service management leaders to quantify risk and define the organisation’s Risk Profile.
The final step is to understand, and define in policy, the organisation’s Risk Appetite. This means considering:
- the organisation’s ethical stance and culture
- the legal and potentially moral frameworks it operates in, which vary across jurisdictions and even within ‘standardised’ trading blocs such as the EU
- its security requirements, which will depend to some extent on the sector in which it operates.
A measure of Risk Appetite could be the threshold value above which the organisation treats each of the risks identified in the Risk Profile as a potential threat.
Convincing the Board
With risk assessed, it is vital to obtain commitment and buy-in from the board and senior management, as investment will be needed to implement and operate the required systems and policies. They need to understand the importance of adopting appropriate governance frameworks to manage risk and what this means in operating a profitable and secure business.
Put simply, it is to align business strategy, objectives and values with operational and IT functions through management systems, whilst complying with industry standards and best practices. They also need to understand that this is part of business as usual (BAU), not a one-off activity each time a new risk is identified or new legislation comes around.
When organisations understand their risk appetite, decision-making becomes simpler because leaders understand the parameters within which they operate. This enables them to make informed choices about where to invest to protect against the most critical threats they face.
Being averse to risk can be extremely expensive, as overbearing restrictions mean a slow response to changing situations. However, getting it wrong can be even more costly, as too few restrictions can put an organisation’s future in jeopardy.
Governance and compliance
Governance and compliance are often seen as an organisational burden. However, they should be considered as a statement of organisational values and an investment in future growth, as well as an integral part of the risk management strategy. They are a vital part of ensuring that an organisation moves in the desired direction and can enable it to create added value. Effective, streamlined processes will promote security and minimise mistakes; compliance will demonstrate organisational commitment; and consolidating various standards will ultimately save money through reduced internal and external audit costs.
Good governance can differentiate an organisation against its competitors and enable it to respond to changing markets while providing lasting assurance to its customers. Compliance to standards ensures it has implemented what is universally seen to be best practice. It can enable processes to be simplified and, if part of an external standard which is audited regularly, is likely to be more enforceable and applied more consistently.
There are internal benefits too. Strong governance supported by appropriate training will ensure that everyone in the organisation understands their roles and responsibilities, cementing accountability and improving productivity. Operating best practice policies and processes that are externally audited will generate internal confidence, improving morale and increasing staff retention.
Implementing appropriate policies includes assessing how their users work and how agile the technology can be made without compromising security. Policies need to be adaptive to suit the rapidly changing environment. ITIL 4 can assist here, as it is designed to help organisations make change at pace while maintaining integrity.
The organisation’s risk appetite should be reflected in tailored management systems such as a Quality Management System (QMS), or in an Information Security Management System (ISMS) where endpoint security is key to business development and sustainability. Organisations who wish to focus on customer satisfaction may implement a Service Management System (SMS), or those who want to assure their community and ethical values may want, or need, to implement an Environmental Management System.
All these systems must be tailored to align with corporate goals. This may mean introducing policies, processes and procedures that are unique to the organisation. Existing standards provide a basic framework, but these must be streamlined and tailored to the organisation’s specific needs and strategic direction to extract value.
To comply with best practise, organisations should align their management systems with industry standards (e.g. ISO) whenever appropriate. An approach that well-managed organisations have implemented is to streamline governance is to consolidate security, quality, environmental and service management systems (ISO27000, ISO9001, ISO14001, and ISO20000). This means that in certain areas they have single policies to manage instead of multiple policies across different systems.
Having defined policies and procedures, organisations should apply governance to review their compliance to these policies. Regulation, internal strategy, technology and threats do not stand still, so IT departments need to monitor potential changes closely so that their governance, risk and compliance can keep pace.
Implementing zero trust
In addressing digital risk, organisations should take a fresh look at network architecture. The perimeter security architecture of enterprise networks has traditionally been designed from the outside in. However, today’s networks should be designed from the inside out, based on a consideration of data flows and security stacks. To maintain system performance and organisational agility, networks need to be designed with multiple egress points, rather than just securing traffic emanating from data centres.
IT departments then need to challenge existing trust levels and implement new security models to support zero trust – a granular implementation in security boundaries, termed micro segmentation, which restricts unrequired and unwanted lateral movement of traffic between systems and in user access. In effect, users are becoming the new security edge, and identity management is becoming the new perimeter management.
Implementing zero trust – or restricted trust – begins with a full understanding of access management and the aligning of rights, privileges and behavioral patterns that are built into policies. It means implementing least privilege and default deny policies for each user and each system, with clear processes to elevate rights on approval. This should be accompanied by the ability to monitor and log access and failed access.
Closely aligned to this is user management. Systems need to be in place to detect and create alerts for abnormal user behaviour, with everyone fully aware of threats and threat vectors. This requires robust cyber security training and awareness and acceptable use policies linked to HR management policies. Training needs to be ongoing to ensure all new cyber threat vectors are understood by users and mitigated.
Finally, it is vital to securely manage access to company resources from mobile and other devices, especially where use of staff’s personal devices is permitted (i.e. BYOD, BYOT and the IoT). Two factor authentication should be implemented, along with MDM, MAM and MIM where data security is important.
Neville Armstrong is Service Strategist at Fordway Solutions.