No matter how sophisticated an organization’s technical controls, there is always a risk of attack. In this day and age, with the great speed at which technology is advancing, the constant evolution of threats makes it impossible for any business to be 100% protected; what they can achieve, however is resilience.
As Information Security Manager at AXELOS, my job is to identify and diminish any weaknesses in our processes and practices to help create this resilience which, ultimately, is about our ability to respond to and overcome any security incidents.
Finding the weakest link
The weakest link in any organization when it comes to security often is its employees. A notable finding in HM Government 2015 Information Security Breaches Survey is that 75% of large organizations' breaches were due to the human factor. Whether it’s making an error in data handling, sending an email to the wrong person, forgetting to redact part of a document or falling for a phishing attack, humans are the biggest source of vulnerability within a business because their actions have the potential of circumventing even the most technically-advanced controls.
To lessen the impact of this human factor, IT security experts must begin by fully understanding the business and its current attitude to security: what are the organizations objectives? What are the security risks that may affect the business’s ability to achieve its objectives? Where are the biggest weaknesses? What are the current controls in place? How do employees currently understand and respond to threats? These are just some of the questions that security officers need to answer before they can begin to make a change.
At AXELOS, for example, we have explored these questions by interviewing team members and observing their existing behaviors and practices. Then, with a clearer understanding of the current situation, we know where errors could occur and we are developing more secure processes to help avoid them. Naturally, it’s human to make mistakes and they can’t always be prevented; but by knowing a risk, it can be managed with the necessary controls and reduced to a point that the business can cope with.
An evolving challenge
Yet identifying risks is not a one off thing. Just as the nature and sophistication of security threats change on a daily basis, so too does a business. So, an organization’s processes and procedures need to adapt to ensure they keep up with threats and are fit for purpose. There is no point in having outdated processes if they are ignored or do not complement the business model.
Alongside changes in threats and organizational developments, there are also new laws and legislation around security that businesses must adhere to. In Europe, the new General Data Protection Regulation (GDPR), approved by EU Parliament in April 2016 and expected to come into force from 25 May 2018, means businesses are more liable and subject to stricter penalties if they do not protect customer data proficiently.
While AXELOS has always had strict controls on customer data, the new regulations pose a real challenge for many other businesses. For instance, even if a business is not in the EU, it will still have to comply with the Regulation when doing business with EU companies and handling EU data. Another notable change is that the definition of personal data will be broader, bringing more data under protection. To ensure they meet these requirements, organizations must ensure their employees understand the new laws but also make sure procedures are followed on a daily basis. Today, the value of a business is very much in its data, so the new legislation safeguards companies and individuals by protecting their information assets.
An unexpected culture
The job of the IT Security Officer really is about, as Donald Rumsfeld said, being ready for the "the unknown unknowns". To keep up, IT Security Officers must constantly adapt; learning is a continuous process and one that must align with the business.
In fact, the belief that security must be part of business culture is at the heart of AXELOS’ RESILIA™ accreditations. Being secure and resilient requires a cultural shift across the whole organization so that even if you encounter the unexpected (which undoubtedly you will), you can recognize the breach, recover and get back to business as usual as efficiently as possible.
See our RESILIA section for more information about cyber resilience.