The foundation for effective IT Security Management
Of late the news on the IT Security front has been dominated by the mega hacks. Retailers in particular have taken the brunt of bad press with a large US home Improvement Company, the latest in the process of admitting to being compromised. The cyber criminals in all these cases took away credit card data belonging to retail customers. This in turn has resulted in a chain reaction where Financial Services firms are battling the growth of credit card fraud. The resulting bad press, loss of reputation and trust has affected the companies and their businesses.
The
tools and exploits in these attacks were new, however the overall pattern is
not. Cyber criminals have a vested interest in finding out new ways to penetrate
the enterprise and that is really not going to go away anytime soon. What
enterprises can do is to lower the risk of such events happening. That seems
like a simple enough view but in reality the implementation is complex.
Reactive responses to deal with security breaches involve investigations in
collaboration with law enforcement on the nature of the breach, source, type of
exploit used, locations, devices, third party access etc. But that along does
not address the issue of enterprise risk.
Yes,
a comprehensive approach is required. Many pieces of Enterprise Security have
to come together to work as a cohesive force to reduce the risk of future
attacks. These components include Security Awareness and Training, Access
Control, Application Security, Boundary Defense and Incident Response amongst
others. But effective IT Security Management is incomplete without the addressing
one vital element. As an enterprise the understanding of 'what we own', 'in
what state', 'where' and 'by whom' is often lost between the discussions and
practices of penetration testing, discovery and audit.
These
4 elements coupled with the fifth one of 'management' on a 24*7 basis is
typically in an area not within IT Security.
It is within IT Service Management (ITSM)- Asset & Configuration
Management (ACM). The foundation for effective
IT Security begins with a strong collaboration and technology integration with
the ACM practice. Without a capable ACM presence, IT Security Management is
left to answer these questions by themselves.
So
why have enterprises ignored or enabled for a weak ACM practice. Over the last
decade, there are several reasons-
technological, structural and business related. From a technology
standpoint, the available solutions had partial answers, long implementation
times and not seen as robust enough. From a structural standpoint, the focus within
ITSM was on 'Services' with Incident Management taking the lion's share of the budget
and focus. From a business standpoint, multi-sourcing has played a huge role in
the compartmentalization of the enterprise. Rightly so, Service providers focus
is on achievement of service levels and watching what they are contracted to do
and no more.
I
would also argue that effective ACM is a key pillar to effective IT governance.
The ability to know exactly what areas are being governed and how, from a non-strategic
view, also depends on a sound ACM practice. Again in a software centric world there is no
application software, without effective Software Configuration Management (SCM)
and tools like Git and Subversion. So
ignoring ACM, undermines the very functionality and availability of the
software.
But
our focus is on IT Security, so where does one start? Depending on the state of
the ACM practice in the enterprise, there are may be a need to fund this
central function, expand it's scope and bring in greater emphasis on tools,
technology and people. More in my next blog .....