BLOG | AUG 2, 2021
15 TIPS GUARANTEED TO IMPROVE YOUR SECURITY PROGRAMME
There are some simple do's and don'ts that will help you to get the most out of any security programme...
1) DON'T PRIORITISE SECURITY OBJECTIVES OVER THE BUSINESS
The objectives of any security programme must be aligned with objectives of the business. Where this doesn't happen, there's an increased chance that security actions will interfere with operations and subsequently undermine security's reputation. In these circumstances its more likely that security processes will be ignored, security issues won't get reported for fear of more security measures and vulnerabilities will grow. Thankfully this is easily overcome by security professionals involving other areas of the business when making decisions and building consensus before implementing security measures.
2) AVOID UNNECESSARY SECRECY
There are times when elements of a security strategy need to be kept secret to remain effective: e.g. during an ongoing investigation or when people knowing about security measures would enable them to be circumvented. However, when entire security programmes are needlessly shrouded in secrecy it leaves other parts of the organisation questioning the effectiveness of security. Security professionals need to share as much information as possible with other parts of the business and employees to build trust and develop a culture of security.
3) DROP THE MACHO IMAGE
There's no way to avoid it, security has a macho image in the mindset of most people linked to the fact that many security professionals tend to be former military or police. Clearly we want the skills that these backgrounds bring, but security professionals need to recognise that this isn't always a useful image because it makes them less approachable. They need to make an effort to breakdown barriers which can be done by having non-work related conversations and generally making an effort to be known as a person and not just referred to as "security". It is often during non-work related conversations that trust is built and can even lead to useful information being passed on.
4) FOCUS ON PROACTIVELY IDENTIFYING THREATS
A security programme that isn't dedicated to identifying over the horizon threats can't be surprised when they arrive on their doorstep. The amount of media coverage on cyber threats means that businesses are heavily focused in this area but there's a danger that non-technical threats could be overlooked. This is why an effective threat identification capability needs to be holistic and cover a wide spectrum. The priorities for identifying threats should be driven by findings of risk assessments and concerns from within the business (Tip: business priorities will shift frequently so conduct periodic engagement). During the early stages of establishing a threat identification capability, gather as much information as possible from as many sources as possible. Once this is analysed you'll quickly discard the unreliable sources which will increase the time you can allocate to analysis and improve the quality of output (Tip: periodically review your information sources to weed out ones that have run dry and identify new sources of information).
5) CREATE A PATH FOR CAREER PROGRESSION
If you fail to develop your workforce through training and give people more responsibility they're going to get bored and stagnate. The lazy ones will stay, but the good ones will leave in search of a greater challenge and ironically, these are the ones you most want to keep because their new ideas and drive to do things better can be harnessed to enhance your security programme. Be sure to map out a development route for people that join your team. Given the everchanging security threats in the modern world, it shouldn't be hard for you to identify new skills that your team could be trained in.
6) ENSURE YOUR INCIDENT RESPONSE PLANS ARE FIT FOR PURPOSE
Creating incident response plans takes diligence, research and time. Don't try to rush it because you'll either miss something or they'll lack sufficient detail to be of use. When creating the plans, first start by taking time to game play how an incident might manifest and unfold. Consider how the incident might have indirect consequences outside of the area immediately impacted, e.g. media interest and political involvement. Then consider your constraints, e.g. resources, legal boundary, skills. To reduce chances of being caught out by a real-life incident, prioritise completing plans for the ones which are most likely to occur.
Analysis of incidents reported to the UK Information Commissioner's Office show that 90% of all cyber security breaches are caused by human error.
7) PRACTICE YOUR INCIDENT RESPONSE PLANS
It is no good having a fantastic plan sitting on a shelf if nobody knows how to implement it. If an incident occurs people are going to react before they take time they won't have to read a document. You need to make sure that people react how they are supposed to and this is only achieved through familiarising them with what they need to do. Start off with desktop exercises with senior responders so that strategic elements of the plan are understood. Then progress into hands on exercises at the operational level running through drills and physical responses.
8) PERIODICALLY REVIEW SECURITY RISKS
Familiarity with the operating environment tends to create optimism bias that a negative event will not happen and confirmation bias that existing mitigation measures are fit for purpose. Ultimately, this can lead to complacency. Consider how you are going to incorporate measures to avoid this, e.g. attending industry forums and trading thoughts with others, commission a third-party risk assessment, sign-up for information from an external provider, conduct red-team exercises.
9) FIND BALANCE BETWEEN SECURITY AND ORGANISATIONAL REQUIREMENTS IN YOUR INFORMATION SECURITY POLICIES AND PROCEDURES
Don't blindly do everything ISO27001 or other standards says, remember to align guidance with what is practical for the business to operate and proportional to the threat. This can be done by taking time to understand how people use information. This will help you to make better informed decisions around control you implement which will ultimately help you to prevent information misuse and identify wrongdoing and vulnerabilities in a timely manner.
10) UTILISE PENETRATION TESTING (PHYSICAL AND CYBER)
If you aren't using penetration testing to identify exploitable vulnerabilities you won't find them until it's to late. To get the most out of these they need to be conducted by a third-party who is not read in to your security measures to mimic a real life adversary and testing needs to have a combined approach looking for physical and cyber vulnerabilities. After all, you can have the greatest firewalls in the world, but if someone is able to walk into your server room all your other security measures are redundant.
11) CYBER SECURITY AWARENESS TRAINING
Analysis of incidents reported to the UK Information Commissioner's Office show that 90% of all cyber security breaches are caused by human error. So when it comes to protecting the business from cyber security threats, staff represent a company's greatest weakness and potentially, the greatest asset to stopping an incident. To be fully utilise though staff need to receive training that enables them to recognise and mitigate a cyber-threat. To be most effective, training shouldn't just be delivered as a one-off on a yearly basis, it should be reinforced by drip-feeding small bits of training on a regular basis. This means staff can be updated on the latest developments and it doesn't have an operational impact when people are taken away from doing their jobs.
12) HAVE A CLEAR SECURITY POLICY
This should be the anchor that guides all of the decision making when people aren't sure what to do. It needs to define objectives of the security programme etc
13) REGULARLY REVIEW YOUR TECHNOLOGY
As threats evolve they will find new ways to overcome old technology. There might even be some out there that is more effective and efficient for cheaper.
14) DON'T JUST LOOK FOR THREATS OUTSIDE, LOOK INSIDE THE BUSINESS
We don't just mean insider threats, we mean changes in the way business intends to operate. This is why security needs a seat at the table when operational decisions are being discussed.
15) MEASURE EVERYTHING
Establish metrics for everything - individual performance, quantify the value of security incidents in terms of direct value (cost of theft) and indirect value (down time while equipment is replaced). This isnt only good to help you see where you need to focus, but also to demonstrate back to the C suite the value of security.