The foundation for effective IT Security Management
Of late the news on the IT Security front has been dominated by the mega hacks. Retailers in particular have taken the brunt of bad press with a large US home Improvement Company, the latest in the process of admitting to being compromised. The cyber criminals in all these cases took away credit card data belonging to retail customers. This in turn has resulted in a chain reaction where Financial Services firms are battling the growth of credit card fraud. The resulting bad press, loss of reputation and trust has affected the companies and their businesses.
The tools and exploits in these attacks were new, however the overall pattern is not. Cyber criminals have a vested interest in finding out new ways to penetrate the enterprise and that is really not going to go away anytime soon. What enterprises can do is to lower the risk of such events happening. That seems like a simple enough view but in reality the implementation is complex. Reactive responses to deal with security breaches involve investigations in collaboration with law enforcement on the nature of the breach, source, type of exploit used, locations, devices, third party access etc. But that along does not address the issue of enterprise risk.
Yes, a comprehensive approach is required. Many pieces of Enterprise Security have to come together to work as a cohesive force to reduce the risk of future attacks. These components include Security Awareness and Training, Access Control, Application Security, Boundary Defense and Incident Response amongst others. But effective IT Security Management is incomplete without the addressing one vital element. As an enterprise the understanding of 'what we own', 'in what state', 'where' and 'by whom' is often lost between the discussions and practices of penetration testing, discovery and audit.
These 4 elements coupled with the fifth one of 'management' on a 24*7 basis is typically in an area not within IT Security. It is within IT Service Management (ITSM)- Asset & Configuration Management (ACM). The foundation for effective IT Security begins with a strong collaboration and technology integration with the ACM practice. Without a capable ACM presence, IT Security Management is left to answer these questions by themselves.
So why have enterprises ignored or enabled for a weak ACM practice. Over the last decade, there are several reasons- technological, structural and business related. From a technology standpoint, the available solutions had partial answers, long implementation times and not seen as robust enough. From a structural standpoint, the focus within ITSM was on 'Services' with Incident Management taking the lion's share of the budget and focus. From a business standpoint, multi-sourcing has played a huge role in the compartmentalization of the enterprise. Rightly so, Service providers focus is on achievement of service levels and watching what they are contracted to do and no more.
I would also argue that effective ACM is a key pillar to effective IT governance. The ability to know exactly what areas are being governed and how, from a non-strategic view, also depends on a sound ACM practice. Again in a software centric world there is no application software, without effective Software Configuration Management (SCM) and tools like Git and Subversion. So ignoring ACM, undermines the very functionality and availability of the software.
But our focus is on IT Security, so where does one start? Depending on the state of the ACM practice in the enterprise, there are may be a need to fund this central function, expand it's scope and bring in greater emphasis on tools, technology and people. More in my next blog .....