5 implementation principles for a global information security strategy

Many large corporations with significant dependency on intellectual property and personally identifiable information are struggling with protecting their data. Improvements in attacker proficiency, increasing numbers of analytics systems storing sensitive data, and continually evolving risks with cloud computing, mobility and outsourcing make defense capabilities difficult to build and maintain. Information security leaders must apply both their expertise and influence wisely: identifying and targeting the high priority areas with maximum business impact, and invoking the necessary implementation resources and tools.

[10 security tips for customer support and service]

Based on in-depth experience with global information security strategies, below are five critical success factors CISOs should explore and apply specific to their own enterprise.

1. Transparency

One of the most critical tools to gain approval, secure funding and implement an information security strategy is effective stakeholder management. Information security risks and issues are getting Board of Directors level scrutiny. Positive relationships are based on trust and trust is vital to gaining the support and sponsorship necessary from senior management. The most fundamental element in building this trust is transparency.

Where does this apply?

• Build and maintain the board’s confidence, as well as that of the numerous stakeholder groups whose support is critical to successful implementation, by being transparent about the levels of risk and gaps with existing controls.
• Invest change management energy on the expectations and impact to the end user community. Keep users informed as new solutions and controls are rolled out, focusing on the “why” rather than the “what.” Avoid rolling out tools in stealth mode. Security tools installed on the end user’s device will almost always have a performance impact, hopefully as minimal as possible. Awareness by end users will cultivate confidence and support.

2. Establish the What and Who

Building upon the trust and relationships described above, establish a stakeholder group of business leaders who own critical business processes and therefore own the data that drives them.

Where does this apply?

• Work with this group to agree a priority list of highly confidential and sensitive information — the “what.” Consider this the inventory of where protection and controls should be focused.
• Negotiate ownership of these information categories — the “who.” Agree a primary and backup owner within the business for each category in the inventory. These owners will eventually attest who should have access to their data.
• This dialogue will also establish a natural side effect: an inherent awareness by key business leaders regarding the challenges and complexities of information protection.

3. Involve HR and Legal every step of the way

There are legislative and compliance implications that need to be addressed to implement the monitoring and analysis capabilities required to detect advanced threats. It is therefore vital to involve HR and Legal — as early and as often as possible — to assess, understand and address these challenges. Advanced attackers use email — recognized as the primary source (approximately 60%) of infiltration — as a common way to take advantage of people’s current behavior and methods of communication. Therefore scanning this environment is required to effectively address advanced threats. However, in several countries there are privacy and legal implications of scanning traffic that could contain personally identifiable information (PII).

Where does this apply?

• Make Legal and HR stakeholders accountable to facilitate works council approval and ensure best efforts toward regulatory compliance.
• Plan for updates to information security policy and/or acceptable use of IT guidelines. Many organizations explicitly state within internal control documents that email, web browsing and other IT services can be leveraged for occasional personal use. This may make personal privacy regulations applicable and therefore a potential challenge to implementation.
• Employee Notice and user consent forms/prompts may need to be updated, to ensure users are given proper notice of potential new monitoring solutions.
• External partnerships will likely be necessary to combat advanced threats. These partners may be tasked with scanning and analyzing network and e-mail usage data, and subject to appropriate terms and conditions within the partnership contract.

[7 reasons for security awareness failure]

4. Coverage before Capability

Finding indicators of compromise is an extensive logging, monitoring and data analytics challenge. Activity of people, devices and systems across the entire, global network must be captured, which for large international enterprises could number in the billions of entries per day. This data must be mined to establish normal control limits, upon which an extensive, iterative process of correlation and analytics can alert on potential signals of a breach. Most large enterprises carry a legacy of existing security controls which were purchased and implemented during better economic times. Products were chosen and deployed based on their deep, targeted, specific capabilities. However, coverage and widespread visibility were sacrificed in order to leverage these advanced capabilities.

Where does this apply?

• Configure key controls such as Data Loss Prevention (DLP), both on end-points and on the network, for scanning and monitoring only in the early phases of implementation. Apply specific rules later after some initial cycles of discovery and learning.
• Deploy advanced malware detection tools (e.g., FireEye, SecuLert, Damballa) with basic settings initially. Disk space is cheap — so gather as much data as possible, watch and learn, tune and refine iteratively.

Any successful information security strategy will require an element of technology; however, much of it will be based on process development and perhaps most importantly people capability development. Most organizations’ current processes are not sufficient for the volume and types of incidents indicative of today’s more advanced attacks. Furthermore, new skills will be needed for information security staff to effectively integrate data, context and intelligence into actionable incident handling and response.

Where does this apply?

• Organizations should update their procedures, interfaces and approval mechanisms for alerting, triage, incident handling, escalation, investigations and forensics. Negotiate more autonomy for initial investigative and enforcement teams, within appropriate HR and Legal limits.
• Engage with external experts, with verified customer references, to transfer their knowledge to internal monitoring and response teams. Perhaps employ them as temporary team leads.
• Carefully assess and define the breakdown between internal and external staff. Move commodity security controls to external service providers, focusing internal resources on advanced threats.
• Partner with HR to develop an information security resourcing strategy, focusing on the unique challenges of recruiting and retaining the necessary skills.

Approval and sponsorship for an information security strategy is only the beginning. Implementation of the strategy is how risk is truly mitigated. The principles highlighted here, if applied prudently, are critical to an organization’s successful delivery of these strategies, and will help CISOs better address more advanced threats and risks to its information resources.

Michael A. Towers is an Information Technology executive with over 19 years’ experience in multi-national pharmaceutical and consumer healthcare environments. His current focus is global information security leadership, specializing in the areas of critical intellectual property protection and personal data privacy.