Ten Information/Cyber Security Principles for Companies

Most companies are still paying far too little attention to information security. Yet corporate security challenges are mounting, not only because of the number, weight and sophistication of bad actors, but also because of the digitalization of the economy and the current (positive) digital transformation efforts of many companies. The explosion of the consumerization of technology and the growth of the internet of things (IoT) have resulted in a proliferation of connected devices that, together with social media and e-commerce transaction volumes created anywhere, anytime, have radically increased the amount of data at risk daily and the points of vulnerability. The threats come from all directions, from denial of service attacks by hacktivists, to targeted ransomware attacks for financial gain, to government-sponsored advanced persistent threats seeking to steal intellectual property.

In recent years, I have been fortunate to observe and interact with the professionals driving the efforts of many large companies as they wrestle with the challenges of cyber/information security today. Here are ten principles that should guide management in helping these talented professionals address the trials of defending their physical, software, data and people assets and protecting their organizations from harm.

In today’s environment, the first necessity is to accept that it’s not “if”, but ;"when"; you will be compromised – gone are the days when being completely secure was possible and a good perimeter was sufficient to avoid a breach. Attacks have simply become too sophisticated, forceful and numerous to keep all intruders out. That does not mean perimeters and end-point security are not still important, and that diligent “hygiene” such as patching is not critical. It just means that even though your company may do these well, there is more to good information security than this. You should insist that whenever possible, security is built-in, not “bolted-on” ex post facto. This is as true of a business process as it is of a piece of software or hardware.

This leads to the second principle, namely that it is vital for the whole enterprise to embrace “identify, protect, detect, respond, recover”. You must know what the assets you have are (hardware, software, pieces of data or information, and people), and how important they are to your company. You must endeavor to protect them, deterring attack as best as possible (thus the necessity for a good perimeter). But you must also be prepared to detect an attack or intrusion, respond to it, and ultimately recover from it. In military terms, create a defense-in-depth. To successfully accomplish this, your company has to adopt a combat mentality, supporting robust intelligence, monitoring and response capabilities. Most organizations should have a security operations center (SOC) that knows what “normal” looks like, an organized incident response team, and regular exercise scenarios that engage senior management. The scenarios you practice handling will undoubtedly not be exactly what occurs, but having exercised your “response muscles” will be invaluable.

To enable this, the whole company must take a unified and coordinated approach that recognizes that we live in a world of digital and physical convergence, and therefore cyber and information security should be connected to physical security – they should be mutually supporting endeavors. This coordination needs to extend to the company’s value chain, including robust checks on vendor security. Additionally, everyone must understand that human behavior is the key ingredient to a successful information security effort – awareness, vigilance, training and ongoing dialogue are vital. Each employee must be committed to safeguarding information, but it’s unfortunately also important to monitor for and protect against insider threats.

Part of getting the awareness and engagement of all to the above principles is supporting the person in charge of information security. This is signaled to the rest of the company in many ways, but also needs to be signaled to the head of information security. It’s important to recognize that compliance ≠ security ; frameworks like NIST and ISO27001 are helpful and a good starting point, as are some industry regulations, but merely being compliant does not accomplish security – indeed compliance can be a distraction if you are not careful. A corollary to this is that it’s necessary to support and push the CISO to assess and measure the things that actually matter, not just some statistics that can be easily improved. It is good practice to also get a look from outside your company periodically – and to be hyperaware of changes in your business that impact your security. The bad actors collaborate frequently – you should encourage your head of information security to do the same. He or she should make a concerted effort to collaborate, share, and keep learning– with your value chain and industry groups (e.g. Information Sharing and Analysis Centers, ISACs), but also with cross-industry groups, law enforcement and national/multinational Computer Emergency Response Teams (CERTs) to name a few.

You cannot expect your enterprise people to engage fully unless you set the example from the top. Engaged and visible commitment from senior leadership is vital given the stakes in this digital world. You must personally believe that information security is not “an IT thing” – because if you treat it like a merely technical problem, so will everyone else. But above all, you must strike the right balance for your business. Information security is no different than the rest of your business – it is about managing risk and reward – so find the right balance for your business. You cannot strangle your own business with security rules, or there will be no business, but you can also not disregard them. Tie the security efforts to overall risk management, to wherever other risk/reward tradeoffs are evaluated for the business.

While these efforts alone will not guarantee your security, they are critical to getting you in the right space as an organization. Yes, there are certainly technical aspects to this effort, but without the right approach, the right leadership and cultural foundation, technical perfection alone is, and will not be, sufficient.