The first two posts in this series on Cybersecurity have focused on the strategic issues around information security and the IT response from the datacenter. The third post then spent discussed exciting new innovations being ushered in by Big Data techniques and players in the open source space. This fourth & final post in the series will focus on the business steps that Corporate boards, Executive & IT leadership need to adopt from a governance & strategy standpoint to protect & insulate their businesses from the constant firehose of cyber attacks.
Cybersecurity – A Board level concern –
Enterprise business is built around data assets and data is the critical prong of any digital initiative. For instance, Digital Banking platforms & Retail applications are evolving to collections of data based ecosystems. These need to natively support loose federations of partner applications, regulatory applications which are API based & Cloud native. These applications are majorly micro service architecture based & need to support mobile clients from the get go. Owing to their very nature in that they support massive amounts of users & based on their business priority, these tend to take a higher priority in the overall security equation .
The world of business is now driven by complex software & information technology. IT is now enterprise destiny. Given all of this complexity across global operating zones, perhaps no other business issue has the potential to result in massive customer drain, revenue losses, reputation risks & lawsuits from affected parties as do breaches in Cybersecurity. A major breach in security is a quick game-changer and has the potential to put an organization in defensive mode for years.
Thus, Corporate Boards which have been long insulated from technology decisions now want to understand from their officers how they’re overseeing, and mitigating cyber security. Putting into place an exemplary program that can govern across a vast & quickly evolving cybersecurity threat landscape is a vital board level responsibility. The other important point to note is the interconnected nature of these business ecosystems implies the need for external collaboration as well as a dedicated executive to serve as a Cyber czar.
Enter the formal role of the CISO (Chief Information Security Officer)….
The CISO typically heads an independent technology and business function with a dedicated budget & resources. Her or his mandate extends from physical security (equipment lockdown, fob based access control etc_ to setting architectural security standards for business applications as well as reviewing business processes. One of the CISO’s main goals is standardize the internal taxonomy of cyber risk and to provide a framework for quantifying these risks across a global organization.
A new approach to cybersecurity as a business issue is thus highly called for. Enterprises have put in place formal programs for cybersecurity with designated a CISO (Chief Information Security Officer). The CISO has a team reporting to her which ensures that detailed threat assessments are created as well as dedicated resources embedded both in the lines of business as well as in central architecture & operations to maintain smooth business continuity in the event of security breach led disruptions.
Cybersecurity – An Enterprise Wide Process –
With all of that in mind, let us take a look at a the components of an enterprise wide cybersecurity program in critical industries like financial services and insurance. I will follow each of the steps with detailed examples from a real world business standpoint. A key theme across the below will be to ensure that the cybersecurity program in and of itself shall not turn burdensome to business operation & innovation. Doing so would defeat the purpose of having such a program.
The program is depicted in the below illustration.
Illustration – Enterprise Cybersecurity Process
The first step is almost always an Assessment processes which itself has two sub components – business threat assessment & information threat assessment. The goal here should be to comprehensively understand the organizations business ecosystem by taking into account every actor – internal or external- that interfaces with the business. For an insurance company, this includes customers, prospects, partner organizations (banks, reinsurance firms), internal actors (e.g. underwriters, actuaries etc).
For a Bank, this includes fraud & cyber risks around retail customer ACH accounts, customer wires, commercial customer accounts along with the linked entities they do business with, millions of endpoint devices like ATMs & POS terminals, a wide payments ecosystem etc etc. Understanding the likely business threats across each role & defining appropriate operational metrics across those areas is a key part of this stage. At the same time, the range of information used across the organization starting with customer data, payment systems data, employee data should be catalogued and classified based on their threat levels from Critical to Restricted to Internal Use to Benign et al. These classifications must be communicated over to the lines of business as well as IT & development organizations. It is critical for operations & development teams to understand this criticality from the perspective of incorporating secure & efficient development methodologies into their current IT Architecture & development practices.
The next step in the process is to Plan & Benchmark the current state of security with the industry standard organizations to better understand where the internal cyber gaps may lie across the entire range of business systems. This step also takes into account the Digital innovation roadmap in the organization and does not treat areas like Mobility, Cloud Computing, DevOps, Big Data as being distinct from a security theme standpoint. This is key to ensuring that effective controls can be applied in a forward looking manner. For instance, understanding where gaps lie from a Sarbanes Oxley or PCI DSS or HIPAA regulations ensure that appropriate steps be taken to bring these different systems up to par from an industry standpoint. Across these process appropriate risk migrations need to be understood for systems across the board. This ranges from desktop systems, mobile devices and systems which hold & process client data.
The third step is the Execution step. This has three subcomponents – Systems & IT Refresh & the Governance Process.
The Systems & IT Refresh step deals with instituting specific security technologies, IT Architectures, Big Data standards etc into line of business & central IT systems with the view of remediating or improving gaps observed across step 1. The list of systems is too exhaustive to cover here but at a minimum it includes all the security systems covered here in the first blog in this series @ http://www.vamsitalkstech.com/?p=1265
The Execution step will also vary based on the industry vertical you operate in. Let me explain this with an example.
For instance, in Banking, in addition to general network level security, I would categorize business level security into four specific buckets – general fraud, credit card fraud, AML compliance and cyber security.
- Firstly, the current best practice in the banking industry is to encourage a certain amount of convergence in the back end data infrastructure across all of the fraud types – literally in the tens. Forward looking institutions are building cybersecurity data lakes to aggregate & consolidate all digital banking information, wire data, payment data, credit card swipes, other telemetry data (ATM & POS) etc in one place to do security analytics. This approach can payoff in a big way.
- Across all of these different fraud types, the common thread is that the fraud is increasingly digital (or internet based) and they fraudster rings are becoming more sophisticated every day. To detect these infinitesimally small patterns, an analytic approach beyond the existing rules based approach is key to understand for instance – location based patterns in terms of where transactions took place, Social Graph based patterns and Patterns which can commingle realtime & historical data to derive insights.
Finally, the Governance process.
What are the questions business execs and boards should ask of their IT:
- How are we doing on Cybersecurity from a competitive & business level standpoint? Further, are we answering this question using a business metric drive approach that assigns scores to the program in various categories? For instance – no of breaches, malware incidents, pace & the effectiveness of response. Are these goals S.M,A.R,T ?
- Are all systems under regulation protected using appropriate controls?
- Are we able to hire the best and brightest security personnel and engage them within lines of business?
- Are we investing in the best IT solutions that leverage Big Data & Cloud Computing that have been proven to be more secure than older fragmented architectures? Can my IT leadership vocalize our roadmap goals across these areas?
- Are my line of business leaders engaged in cybersecurity from the perspective of their business areas?
- Is our business ecosystem protected? What are my partners doing to protect sensitive consumer & business data?
- Are we all sharing appropriate information constantly with industry consortia around threat intelligence & the authorities i.e law enforcement and the federal government agencies?
My goal in this post to bring forth the high level dimensions of a cybersecurity plan at the board level while not being over prescriptive in terms of specific industry & business actions. Based on my years of working in sensitive industries like Financial Services & Insurance, Healthcare and Telco, I can confidently say that if the broad contours of the above strategy are adopted, you are on your way to becoming an organization with a strong foundation for Cybersecurity management. In this Digital Age, that can be a huge competitive differentiator.