I’ve been married to an industrial engineer for a long time now. In the early years of our marriage when she was going after her PE (Professional Engineer) designation, she liked to practice time and motion studies on me and our home. Initially, it was kind of fun (in a quirky sort of way). Then she started graphing out the time and steps I took to do things like wash dishes, collect the trash from within the house, and time spent doing my own homework relative to grades achieved. I began to tire and rebelled by throwing off her data in subtle ways.
As an industrial engineer student, my wife would leave “light reading” textbooks lying about the house. When I was bored or needed to sleep, I would pick them up and read a paragraph or two before nodding off or choosing to organize my sock drawer out of guilt. I would read about increasing efficiency through measuring and managing manufacturing processes. Collectively, I read that chapter a few times. I asked my wife what the practical upshot was, and it was boiled down to this statement— you can’t manage what you can’t measure.
Apparently, some guy named Drucker was supposed to have said that (he sort of did, but you can’t debate this fact with engineers— trust me, I tried). The gist of it is that if you want to make significant improvements in the manufacturing process, you must be able to quantify or measure each component or step in the process of making your widget.
The same can be said for the way manufacturers should be handling their information security program and processes. If I was a betting man, I’d guess you’re not measuring and quantifying your information security program and efforts the way you can or should be. To many businesses, this is an elusive concept and gets ignored as a result.
For years, FRSecure clients have told us that they make decisions on their infosec or cybersecurity spend based on the “stuff that the IT staff has told them.” Often, IT staff have competing interests and don’t bring a global view to the problem at hand. As a result, departments often duplicate efforts, make purchases that don’t necessarily complement each other’s goals, or both.
Information security isn’t really an IT issue; it is a business issue. It’s this global view of security that companies miss when they hand the security reins completely to IT. Purchases made to ostensibly improve information security should be as the result of a quantitative measure gained objectively— one that helps make the entire business more successful.
Sounds good right? You can agree with the premise? Okay, but how do you do it, you ask? To get an objective measure of your security practice, you need to be able to quantify it. Security risk assessments are usually a great place to start, as they typically assign a numeric value to your level of risk using objective evaluation. A good information security risk assessment will focus on four main areas of security: Administrative Controls, Physical Controls, Internal Technical Controls, and External Technical Controls.
Think of this as your “people” portion of security. Administrative controls involve the strategy, roles, and responsibilities of workforce members. This includes things like your onboarding and offboarding processes, your password rules, asset management, incident response planning, and more.
Physical controls are the tactile security controls. These are the ones that protect people from physically accessing your information. This includes things such as the locks on your business’s doors, your badge system, the cameras you have on the facility, etc. After all, it doesn’t matter how secure your network is if someone can break in and steal your server.
Internal Technical Controls
Internal technical controls involve the controls you have to protect your internal information resources. This includes your network connectivity, remote access, servers and storage, mobile devices, and more. These controls focus on the things that happen inside your internal environment.
External Technical Controls
This is what people think of most when they think of information security. External technical controls take a look at your protections against the outside world. External technical controls involve firewalls and anything else that can help prevent black hat hackers from breaking through your network from the internet.
We do this through an assessment called the FISASCORE®. This assessment will return a numeric value (FISASCORE), which looks much like your personal credit score and quickly gives you an overview of where you are as it relates to your corporate security. The lower the FISASCORE, the more likely it is that your business’s data will be compromised. The higher the score, the less risk you have. The score and supporting documentation quickly give you an understanding of what your current environment looks like, help you decide what you want it to look like, and give you a plan around how you will get to the desired future state.
The report is effectively a road map charting a path to greater security. Risk can’t be eliminated, but implementing the report’s improvement items will indeed make your information security program and business more secure. Post-implementation success not only shores up your defenses but also demonstrates improvement for insurers who may have written a breach insurance policy for your organization. It gives you a defensible position in the event of an incident occurring.
Much like my wife trying to do time and motion studies on me to make me more efficient (still a work in progress, by the way), the FISASCORE aims to understand your efficiencies. It measures and allows you to manage your security objectively, with repeatability, and complies with major standards in the information security area. The objectivity, measurability, and repeatability are what make FISASCORE a tool that many have in their toolbox and one you should add to your information security program as well.