Essential considerations when making changes to security
Experts weigh in on important factors to consider when adjusting security policies and practices
By Steve Ragan , Staff Writer
October 17, 2013 — CSO — When it comes to security policies and practices, there are rules (both written and unwritten) that need to be adhered to. An organization simply cannot implement changes to security on the fly as it could lead to disaster. Yet, there are times when changes are necessary, or mandated due to an incident response plan. In that instance, what should business leaders be focusing on?
CSO recently posed a hypothetical question to a few sources. When it comes to adjusting or adapting a security policy — that is, changing what's already in place due to any previously unforeseen event such as a security breach, downsizing, employee termination, etc.—what are some key considerations that business leaders need to focus on or keep in mind?
"Start with first principles. Understanding what matters to an organization (PII? PCI? Intellectual Property?) is the jumping off point for a robust and modern set of security controls, and absent focus, organizations tend to react to incidents rather than organize a coherent set of investments and behavioral changes that will yield measurable results," explained Kevin O'Brien, enterprise solution architect, at CloudLock.
After that, he added, "Know where you want to be as a result of your change, and ensure that you can apply metrics to it... Security is often at the junction of what end users are interacting with, and how; it makes sense to control for data walking out the door via print-outs if and only if your users are physically accessing files in an office with a printer, for example."
Otherwise, modern environments tend to be highly distributed, and platform solutions (Salesforce, Office 365, Google Apps, etc.) define both the types of data that matters to ordinary users and the mechanisms through which they can access and externalize them.
"A robust security plan will address those environments specifically, and provide a means of measuring incidents and responding to them in real time," O'Brien said. But don't confuse auditing with control.
"Insight is not security on its own. Security policy should not only lay out what may or may not be exposed, but also how a breach or loss will be addressed, both in the short term to limit the damage done, and over the longer term to mitigate the exposure vector and reoccurrence risk."
Given the same hypothetical question, Michael Daly, the CTO of Cybersecurity and Special Missions for Raytheon, told CSO that business leaders should capture metrics on the current environment in order to understand compliance to the current policy. From there, the organization would need to project the state of compliance with the draft policy. While this happens, the organization should "avoid creating any policy for which you cannot measure your compliance."