Home Cybersecurity An Enterprise Wide Framework for Digital Cybersecurity..(4/4)

An Enterprise Wide Framework for Digital Cybersecurity..(4/4)

by vamsi_cz5cgo

The first two posts in this series on Cybersecurity have focused on the strategic issues around information security and the IT response from the datacenter. The third post then spent discussed exciting new innovations being ushered in by Big Data techniques and players in the open source space. This fourth & final post in the series will focus on the business steps that Corporate boards, Executive & IT leadership need to adopt from a governance & strategy standpoint to protect & insulate their businesses from the constant firehose of cyber attacks.

Cybersecurity – A Board level concern – 

Enterprise business is built around data assets and data is the critical prong of any digital initiative. For instance, Digital Banking platforms & Retail applications are evolving to collections of data based ecosystems. These  need to natively support loose federations of partner applications, regulatory applications which are API based & Cloud native. These applications are majorly micro service architecture based & need to support mobile clients from the get go. Owing to their very nature in that they support massive amounts of users & based on their business priority, these tend to take a higher priority in the overall security equation .

The world of business is now driven by complex software & information technology.  IT is now enterprise destiny. Given all of this complexity across global operating zones, perhaps no other business issue has the potential to result in massive customer drain, revenue losses, reputation risks & lawsuits from affected parties as do breaches in Cybersecurity. A major breach in security is a quick game-changer and has the potential to put an organization in defensive mode for years.

Thus, Corporate Boards which have been long insulated from technology decisions now want to understand from their officers how they’re overseeing, and mitigating cyber security. Putting into place an exemplary program that can govern across a vast & quickly evolving cybersecurity threat landscape is a vital board level responsibility. The other important point to note is the interconnected nature of these business ecosystems implies the need for external collaboration as well as a dedicated executive to serve as a Cyber czar.

Enter the formal role of the CISO (Chief Information Security Officer)….

The CISO typically heads an independent technology and business function with a dedicated budget & resources. Her or his mandate extends from physical security (equipment lockdown, fob based access control etc_ to setting architectural security standards for business applications as well as reviewing business processes. One of the CISO’s main goals is standardize the internal taxonomy of cyber risk and to provide a framework for quantifying these risks across a global organization.

A new approach to cybersecurity as a business issue is thus highly called for. Enterprises have put in place formal programs for cybersecurity with designated a CISO (Chief Information Security Officer). The CISO has a team reporting to her which ensures that detailed threat assessments are created as well as dedicated resources embedded both in the lines of business as well as in central architecture & operations to maintain smooth business continuity in the event of security breach led disruptions.

Cybersecurity – An Enterprise Wide Process – 

With all of that in mind, let us take a look at a the components of an enterprise wide cybersecurity program in critical industries like financial services and insurance. I will follow each of the steps with detailed examples from a real world business standpoint. A key theme across the below will be to ensure that the cybersecurity program in and of itself shall not turn burdensome to business operation & innovation. Doing so would defeat the purpose of having such a program.

The program is depicted in the below illustration.

CyberSecurityProgram

                                             Illustration – Enterprise Cybersecurity Process

The first step is almost always an Assessment processes which itself has two sub components – business threat assessment & information threat assessment. The goal here should be to comprehensively understand the organizations business ecosystem  by taking into account every actor – internal or external- that interfaces with the business. For an insurance company, this includes customers, prospects, partner organizations (banks, reinsurance firms), internal actors (e.g. underwriters, actuaries etc).

For a Bank, this includes fraud & cyber risks around retail customer ACH accounts, customer wires,  commercial customer accounts along with the linked entities they do business with, millions of endpoint devices like ATMs & POS terminals, a wide payments ecosystem etc etc. Understanding the likely business threats across each role & defining appropriate operational metrics across those areas is a key part of this stage. At the same time, the range of information used across the organization starting with customer data, payment systems data, employee data should be catalogued and classified based on their threat levels from Critical to Restricted to Internal Use to Benign et al. These classifications must be communicated over to the lines of business as well as IT & development organizations. It is critical for operations & development teams to understand this criticality from the perspective of incorporating secure & efficient development methodologies into their current IT Architecture & development practices.

The next step in the process is to Plan & Benchmark the current state of security with the industry standard organizations to better understand where the internal cyber gaps may lie across the entire range of business systems. This step also takes into account the Digital innovation roadmap in the organization and does not treat areas like Mobility, Cloud Computing, DevOps, Big Data as being distinct from a security theme standpoint. This is key to ensuring that effective controls can be applied in a forward looking manner. For instance, understanding where gaps lie from a Sarbanes Oxley or PCI DSS or HIPAA regulations ensure that appropriate steps be taken to bring these different systems up to par from an industry standpoint. Across these process appropriate risk migrations need to be understood for systems across the board. This ranges from desktop systems, mobile devices and systems which hold & process client data.

The third step is the Execution step. This has three subcomponents –  Systems & IT Refresh & the Governance Process.

The Systems & IT Refresh step deals with instituting specific security technologies, IT Architectures, Big Data standards etc into line of business & central IT systems with the view of remediating or improving gaps observed across step 1. The list of systems is too exhaustive to cover here but at a minimum it includes all the security systems covered here in the first blog in this series @ http://www.vamsitalkstech.com/?p=1265

The Execution step will also vary based on the industry vertical you operate in. Let me explain this with an example.

For instance, in Banking, in addition to general network level security, I would categorize business level security into four specific buckets –   general fraud, credit card fraud, AML compliance and cyber security.

  • Firstly, the current best practice in the banking industry is to encourage a certain amount of convergence in the back end data infrastructure across all of the fraud types – literally in the tens.  Forward looking institutions are building cybersecurity data lakes to aggregate & consolidate all digital banking information, wire data, payment data, credit card swipes, other telemetry data (ATM & POS)  etc in one place to do security analytics. This approach can payoff in a big way.
  • Across all of these different fraud types, the common thread is that the fraud is increasingly digital (or internet based) and they fraudster rings are becoming more sophisticated every day. To detect these infinitesimally small patterns, an analytic approach beyond the existing rules based approach is key to understand for instance – location based patterns in terms of where transactions took place, Social Graph based patterns and Patterns which can commingle realtime & historical data to derive insights.

               

Finally, the Governance process.

Over a certain period of time, it is a given that every organization will be breached. The executive team has to to set in place a governance strategy that recognizes overall limitations in a defensive posture and seeks to move the organization to an active defense approach. The goals of this process are to deeply advise the board not only on how to manage cyber risk from a business mitigation perspective but also be able to setup a steering committee to manage customer, legal & media outreach. The executive team themselves needs to be trained in cybersecurity issues and this should be lead by the CISO. Attention has to be paid to ensuring that the CISO’s team is not only staffed with risk, compliance & fraud detection personnel but also those with expertise and contacts in the specific lines of business that the organization operates across. To that end, the CISO’s team has to be funded at the highest levels of the organization. Investment in human activities like training classes, certifications & regular cybersecurity drills will also ensure a high level of preparedness across the organization. Explicit incident response plans need to be created across different business areas. Based on the specific vulnerability & concomitant business risk, the CISO will need to decide if each of the specific risks can be shared over multiple external actors – vendors, suppliers & other partners. If not, it would make a lot of sense to look for cyber risk insurance, an emerging business area, in those specific situations. More on Cyber risk in a followup post. To reiterate one of the points I made above, a strong cybersecurity process does not inhibit business agility.

What are the questions business execs and boards should ask of their IT:

A few key questions that business management should ask of themselves from a cybersecurity standpoint.
  • How are we doing on Cybersecurity from a competitive & business level standpoint? Further, are we answering this question using a business metric drive approach that assigns scores to the program in various categories? For instance – no of breaches, malware incidents, pace & the effectiveness of response. Are these goals S.M,A.R,T ?
  • Are all systems under regulation protected using appropriate controls?
  • Are we able to hire the best and brightest security personnel and engage them within lines of business?
  • Are we investing in the best IT solutions that leverage Big Data & Cloud Computing that have been proven to be more secure than older fragmented architectures? Can my IT leadership vocalize our roadmap goals across these areas?
  • Are my line of business leaders engaged in cybersecurity from the perspective of their business areas?
  • Is our business ecosystem protected? What are my partners doing to protect sensitive consumer & business data?
  • Are we all sharing appropriate information constantly with industry consortia around threat intelligence & the authorities i.e law enforcement and the federal government agencies?

Conclusion:

My goal in this post to bring forth the high level dimensions of a cybersecurity plan at the board level while not being over prescriptive in terms of specific industry & business actions. Based on my years of working in sensitive industries like Financial Services & Insurance, Healthcare and Telco, I can confidently say that if the broad contours of the above strategy are adopted, you are on your way to becoming an organization with a strong foundation for Cybersecurity management. In this Digital Age, that can be a huge competitive differentiator.

Discover more at Industry Talks Tech: your one-stop shop for upskilling in different industry segments!

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.