In order to fix something, you need to admit that it’s broken. So, in order to “fix” information security we need to first recognize that, as an industry, it is broken.
In a report recently released by Risk Based Security in 2017, it was found that the number of exposed records has increased by 305% and five of the ten largest data breaches ever have occurred in the past year.
Every large-scale information security incident or cybersecurity breach brings scores of damage, whether it be in the form of personal information, ransom, or company data. The more security breaches that occur, the more damage, and the more demoralized the industry becomes.
To add insult to injury, it feels like there has been more head-shaking than proactive steps taken to curb our outstanding security issues, including on behalf of information and cybersecurity companies.
Despite everything, not all hope is lost. There is light at the end of the tunnel, according to FRSecure CEO Evan Francen. However, in order to find that light, businesses need to totally recalibrate their approach to information security.
The process of “fixing” information security entails using a holistic policy that recognizes information security and cybersecurity as core business functions. This article breaks it down into the core components of information security and outlines instructions for building effective policy from the ground-up using a step-by-step approach.
Treat Information Security as a Core Business Function
Perhaps the only positive takeaway to come from recent large-scale cybersecurity incidents is the awareness they have brought about. This newfound awareness has helped businesses to realize the severity of the current information security crisis.
“I think all the coverage is positive. I’m not concerned about this particular boogeyman distracting from these other 18 potential boogeymen,” Evan Francen said in a recent Clutch cybersecurity survey report.
The first step to take to improve how businesses approach information security is to understand it as a critical part of a company’s function, rather than a process that exists under the umbrella of IT services and functions.
When businesses suffer data breaches or cyber-attacks, it does not just affect IT, it affects the entire company. Most businesses have set processes in place to manage crises or mistakes of other business functions that impact their entire business. Information security and cybersecurity deserve and require the same treatment.
Viewing and understanding information security as a core business function allows businesses to approach policy in a collaborative manner. As a result, information security and cybersecurity incidents will not be subject to the scrutiny of a constrained IT budget but approached from a framework of its impact on overall business operations. Using this framework, it’s much more likely that a business pulls resources from across the company to address any issues.
Establish a Universal Definition of Information Security
The launch point for “fixing” information security is to establish a common understanding of its core components. Francen offers a universal definition that he believes runs the gamut of its major operational aspects.
Information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of information.
An agreed-upon definition allows everyone to speak the same language when addressing info security issues and maintenance. An established, universal definition for information security provides the groundwork from which a business can rebuild or recalibrate information security policy. Once everyone is on the same page, and speaking the same language with respect to information security, productive discussion or policy formulation can occur.
This definition outlines the basic controls of information security: administrative, physical, and technical. Each of these controls represents a specific layer that information security policies should cover: personnel (administrative), the actual data storage and operating units (physical), and the technology that both of the former are in place to manage (technical).
Identify Security Gaps Using a Risk Assessment
Remaining within the build-from-the-ground-up metaphor, the “ground floor” for effective policy needs to include a risk assessment of their three main controls which is used to identify gaps in policy and security operations. Without understanding the security of each control, and the potential vulnerabilities that exist in its information infrastructure, a business has no chance to properly secure or defend itself.
After accounting and documenting major controls and security vulnerabilities, businesses need to codify their updated security controls in an information security policy. While an updated policy does not totally ensure compliance, it establishes precedent and references for how to properly approach information security.
Include Incident Response Plans in Your Policies
Information security and cybersecurity threats are highly complex, automated, and malicious. No amount of awareness, enforcement of policies, or hiring cybersecurity companies or security providers will stop data breaches from occurring.
Given this reality, businesses must include a response plan in their policies. Francen identifies the response to a breach as one of the three basic, simple pillars of security policy, along with prevention and detection. In the case of a cyber-attack, preparation and response can make a significant difference on the impact of an attack on a business.
For example, the Equifax breach was incredibly damaging based on the number of people had their personal information compromised. However, what transformed their breach into such a firestorm was their lackluster response: they failed to report the breach immediately upon discovery, then failed to disclose the fact that their executives dumped their stock after the discovery of the breach, and then botched their attempt to provide help to those affected by the hack.
Businesses should embrace the reality of an imminent information security breach and formulate a plan and protocols for how to respond. The stronger the incident response plan, the less significant the damage will be.
Information Security is a Battle Worth Fighting
The current state of information security is broken. Businesses consistently fail to produce and maintain info security and cybersecurity policies that measure up to the security threats at hand.
There is, however, light at the end of the tunnel. As Evan Francen states, “If I didn’t think that we could win this battle, I wouldn’t be fighting it”.
The recent attention brought to cybersecurity and info security issues by large-scale attacks have kicked businesses into gear for recalibrating their info security approach.
In order to properly address info security and cybersecurity, businesses need to understand them as core business functions. In addition, businesses need to recalibrate their information security using a ground-up approach, beginning with establishing a universal understanding of information security, following up with a risk assessment to understand where their vulnerabilities are, and including incident response plans.
If you want to stay up to date on what’s going on in the world of information/data security, check out FRSecure on Twitter or LinkedIn. Don’t forget to visit Clutch.co for ratings and reviews of leading IT, marketing, and business services companies.