Managing Security Resources: It’s All About People and Awareness (Part II)

Monday, December 07, 2015

Steve Durbin


In Part I, I discussed how organizations worldwide continue to struggle to attract and retain skilled information and cybersecurity professionals. Overcoming this challenge requires a more imaginative, business and people-centric approach to the recruitment of security professionals. However, once you have the right people in place, it is imperative to retain them and use their skills to embed positive-information security behaviors throughout the organization.

Now, let’s take a look at the different ways businesses of all sizes can evaluate their organizational risks. As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. 

Information Risk Assessment Methodology

At the Information Security Forum, we recently introduced our Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. Threats, threat events, vulnerabilities and potential impacts are not necessarily static. This results in the need for the practitioner and key stakeholders to review risks on a regular basis, as well as when any contributing factor in the organization or environment significantly changes.

As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.

The Cloud Assessment Process

Putting private information into the cloud certainly creates some risk and must be understood and managed properly. Organizations may have little or no visibility over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered around the world. If the data being moved is subject to privacy regulations, and data centers are in different jurisdictions, this can trigger additional regulations or result in a potential compliance breach.

The decision to use cloud systems should be accompanied by an information risk assessment that’s been conducted specifically to deal with the complexities of both cloud systems and privacy regulations; it should also be supported by a procurement process that helps compel necessary safeguards. Otherwise, the tireless pressure to adopt cloud services will increase the risk that an organization will fail to comply with privacy legislation.

The ISF cloud assessment process has an objective to determine if a proposed cloud solution is suitable for business critical information. When assessing risk, here are a few questions that you should ask of your business:

  1. Is the information business critical?
  2. Where is it?
  3. What is the potential impact?
  4. How will it be used?
  5. How does it need to be protected?
  6. What sort of cloud will be used?
  7. How will the cloud provider look after it?
  8. How will regulatory requirements be satisfied?

Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.

Finally, cloud contracts need to be reviewed by legal and purchasing. Until now, involving security in this discussion was just an afterthought. But nowadays, security is being brought into the discussion earlier, and more often, than ever before. This stands to reason as security brings a different point of view than you might see from either the legal or purchasing department, and with information security being top-of-mind, their perspective can often be enlightening.

The Future of Security Awareness

Traditionally, organizations have run security awareness initiatives, either standalone or alongside other work, to address unintentional or accidental outcomes. Their expectations were that imparting knowledge would motivate people to take information security seriously and act accordingly, thereby:

  • Preventing incidents due to human error
  • Detecting such incidents earlier
  • Providing a greater resistance to threats turning into incidents
  • Delaying the impact of an incident to allow the organization time to respond
  • Reducing the overall impact of incidents

However, this reliance on awareness initiatives – and the vast sums that have been spent on them over recent decades – seems to have been misplaced. Let’s take a look at a few of the fundamental reasons why security awareness activities are failing:

  1. Solutions are not aligned to business risks
  2. Neither progress nor value are measured
  3. Incorrect assumptions are made about people and their motivations
  4. Unrealistic expectations are set
  5. The correct skills are not deployed
  6. Awareness is just background noise

Let me just say one thing: awareness is not training. It is primarily a set of communications about the need to focus attention on information security. Training is more formal, having a goal of building knowledge and skills to facilitate improved performance. To become habitual, behaviors have to be instilled and repeated. In short, it is unreasonable to expect traditional awareness techniques to lead to lasting behavioral change. Behaviors do not change and become embedded overnight. It can take years to reach everyone and will need constant reinforcement as people join or change roles, and as risks evolve.

Opportunity Has Never Been Greater

Organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.

Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.

Prepare, Engage and Take Action

Organizations of all sizes will continue to accelerate their relentless pursuit of competitive advantages from technological innovations. However, they should also prepare and take action against the emerging security threats that may come into play as a result. As dangers accelerate, disciplined and widespread commitment will be needed to ensure that practical plans are in place to deal with major changes the future could bring. Employees at every level of the organization will need to be involved, including board members and managers in non-technical roles.

Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be fully aware of the each of the important trends that have emerged or shifted, as well as those listed above that they should prepare for in the years to come.

Possibly Related Articles:
Cloud Security General HIPAA PCI DSS General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Operating Systems SPAM Viruses & Malware Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT General PDAs/Smart Phones
Careers cybersecurity
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.