IT Security today is in a constant state of change. All companies, organisations, governments and even private sector, SME and SMB, are discovering that a traditional security approach with even the most sophisticated technologies is not enough. In the first of this two-part series of articles, titled, “Structured Thinking to Combat Cyber Criminals”, the traditional Cyber Security defence approach was addressed with the ways to build and structure the security layers on top of the IT infrastructure. In this second article, I will explore additional Cyber Security principles that are not based on technology but more on people. I will be developing the human impact from the Risk Management aspect and how people can be the single point of failure inside organisations. I will also touch up on how to protect organisations’ business and values from insider threats. Hence, I will be able to show the additional value that needs to be put in the sales cycle of the Cyber Security business.
Value in the People Awareness:
Lack of awareness is the major weakness when we look at Cyber Security domains to address outside of technology. Around 80% of the attacks from cyber criminals could be prevented by enforcing basic measures such as using secure passwords, using the right tools, downloading timely software updates, ensure corporate policies and procedures are followed correctly, avoid opening phishing emails and other scam tactics. Such education promotes foundational understandings on cyber threats and risk, cyber hygiene, and appropriate response options. Therefore, within all kind of organisations or company sizes, to change employee’s behaviour, ongoing security awareness training is the key. The Cyber Security awareness training is a formal process for educating all employees. This is the major element of the people’s aspect of the Cyber Security principles.
Here are some of the tips that are the basis of all Cyber Security Awareness training:
7 Ways Your Employees Make Your Business Secure to Cyber Attacks
1. Having restricted access to company tools. 2. Creating secure login credentials. 3. Not leaving passwords on stickers. 4. Not opening emails and executing contents from unknown destination. 5. Effective employee training on the company tools. 6. Updating regularly the company software and tools. 7. Using secured mobile devices and connection. These topics are the minimum to address on regular basis for the Cyber education of the company employees.
Value in the Consultancy for Governance, Risk and Compliance (GRC):
GRC is a very generic topic that is usually a concern for a company across all departments. Broadly speaking, GRC comprises a series of concerted efforts across cross-functional teams, aimed at appropriately managing the risk and controls landscape of an organization.
However, for Cyber Security we refer mainly to the Information Security GRC where we focus on activities intended to ensure that the IT organization supports the current and future needs of the business and complies with all IT-related mandates.
Governance seeks to translate the organization’s strategic intents for information security into actionable data points. This is achieved via clear communication methods, documented policies and procedures, and well-defined organizational structures and teams.
Risk management aims at being in constant touch with an organization’s risk profile and proactively identifying methods to address them in due time.
Compliance consists of methods, tools and tactics to demonstrate adherence with legal and regulatory requirements including common and accepted frameworks and standards for information security including the ISO series of standards
As mentioned earlier, a company needs to ensure corporate policies and procedures are followed correctly. But do they exist? Usually, the policies which contain processes are directly derived from a Cyber Security Strategy a company has decided on. There is no standard strategy to apply. It depends on each company’s business. There are some specialties linked to an industrial market segment, but it is never easy to copy/paste a strategy from somewhere else to tick the box.
For instance, if you work in the banking market segment, your Governance is definitely linked to your obligations dictated by the central bank. Your Risk is to lose money or wrongly transact and your compliance is very closely governed by standards and frameworks that are very specific to the financial market or transactional business. Therefore, your Cyber Security strategy needs to be defined in its statement based on these considerations. Similarly, if you are in the retail business, your Risk, for instance, is more linked to price variations and seasonal demand. You can easily see the difference in the Cyber Security Strategies between the two market industries.
Once, your strategy is defined, you need to make sure that policies are written in an operational way and processes are defined and applicable to all departments and employees.
Some of the examples of processes are:
- Password changing.
- ERP and other operational tools accounts creation.
- Privileged Remote Access or Secure Remote Access.
Here is a list of some of the Information Security GRC domains:
- Policies & Controls Library
- Policies Distribution and Response
- Risk Management
- Asset Classification and Handling Access Management
- Change Management
- IT Assets Repository
- IT Controls Measurement and Self-Assessment
- Exception Management and Remediation
- Vulnerability Management
- Compliance Dashboards and Advanced IT Risk Evaluation
Few of the GRC consultancy services linked to these domains are:
- Risk Assessment
- Data Classification
- Health Checks, Gap Assessment and Preparation for Certification in ISO 20000, ISO 27001, ISO 27701 or any other country specific framework.
- Business Continuity and Disaster Recovery.
- Digital Forensic Investigations.
Value in the Managed Security Services:
Often considered as a full package of security monitoring and managing technology, the MSS was never really the all-inclusive of the Cyber Security business. It is more about adding value and assessing what already exists as technology or processes within an organization.
For instance, a company which has already invested and implemented several Cyber Security solutions can add to it an MSS Provider (MSSP). It must save the cost of monitoring the security infrastructure, give a peace of mind and make sure that all alerts are captured and treated properly.
This diagram shows how an MSSP can provide a Security Operation Center (SOC) as a service to ensure controls to the existing investment done for the company’s security. One of the major benefits is the time gaining in alerting any attack or breach.
Some of the services provided by the MSSPs for the SOC as a service are:-
- Compliance Monitoring
- Vulnerability Assessment and Monitoring
- Log Management- Intrusion Event Detection
- Event Analysis and Response based on Threat Intelligence feeds
- SOC Advisory & Reporting
- Incident Response based on predefined set of actions.
The enhanced SOC as a service offering is available in the market. Its main objective is to offer more sophisticated and proactive services against cyber criminals. It is the basic part of the new Advanced Managed Security Services. Commonly known as “Managed Detection and Response” (MDR), it provides Advanced Threat Intelligence, automated Threat Hunting, Incident Deeper Analysis & Forensic and more efficient Incident response. The major difference between the new MDR offering and the traditional MSSP offering is that the MDR goes beyond intrusion and malicious activity “Detection” and also “Responds” quickly to eliminate and mitigate the threat, with proactive hunting activities as described in the previous article.
Some of the additional services offered by the MDR providers are:
- Advanced Threat Hunting- Fraud Monitoring
- Digital Forensics
- Behavioral Analytics
- Auto-Containment (Endpoint or System)
The evolution of the Managed Security Services is expected to be around the inclusion of remote security software and even hardware ownership. Companies will only pay for the SSLA (Security Service Level Agreement) and the provider will take all the responsibility to implement whatever is needed even at the company premises to ensure the agreed level of security services. Isn’t it good to say, “I pay you to protect me, so do whatever is relevant for it!”?Now, this arises the question of responsibility and insurance because companies are expecting to protect their data and privacy. We can start to see very relevant Cyber Insurance Policies in the market. However, they stay limited in terms of availability and coverage. This is an interesting topic that can be developed in a future article.
Value in the Business Cycle:
Equally to the companies that are worried to well combat cyber criminals by addressing the People’s aspect, the channel to deliver the Cyber Security shield to these companies needs to adapt and add value.
The skills and competences are added by the Distributor, the Reseller, the System Integrator and other channel partners of the vendors who are focusing on a technology solution mainly. The value here can be seen across the sales cycle and beyond with clear alignment on People, Process and Technology.
Let’s take this sales cycle and see how this channel can add value of human aspect.
This diagram shows the submerging part of the value-iceberg where services are very important to the companies.
Most of the components of this cycle were addressed in this article but it was probably not highlighted enough how these services are the main source of a sustainable business in the Cyber Security market for all players that are between vendors and users of the solutions. The lack of skilled and certified professionals makes this business very lucrative with a very high profit for these players.
People, Process and Technology are the keywords of all IT and across all the Digital Transformation domains. It is mostly relevant to Cyber Security because of the lack of available know-how in the market and the people being a single point of failure for attackers is making it even more relevant. Ingram Micro Cyber Security offers a suite of solutions across the People, Process and Technology aspects of Information Systems. Visit us at security.ingrammicro.com to know more.
This article touched upon the people value to protect ourselves from cyber criminals. It showed also part of the unseen domains that need to be addressed to complete the Cyber Security of our assets, business and privacy. It appears obvious that many of the stakeholders of this market can do a lot of business and I hope with these ideas they can also provide better and a higher value.
By Marc Kassis, Director, Cyber Security Division, Middle East, Turkey and Africa at Ingram Micro.