Sr. Consultant and Security Practice Leader Larry LaBas shares some of the best practices he recommends to Taos clients in building and maintaining a robust security posture.
4: Cross-Company Collaboration on Security: Are Your Processes Working?
“Beyond IaaS”, the third blog in this series, recommended integrating security and business departments in a CI/CD review process to optimize security focused automation. Once this is in place, the next stage of developing a cyber-resilient organization is to expand that collaborative review cycle from automation into one that examines the company’s security strategy as a whole. The fundamental question is “are your processes working?”
What is Cross-Company Collaboration on Security?
Organizations with mature cross-company collaboration on security have processes in place that enable different parts of the business to connect and share information on the company’s security strategy and execution, including the scope of the current strategy, future plans, and the results of testing and collaboration. Starting with the executive and upper management level, this review cycle examines what’s working and what needs improvement by asking:
- Are the processes working to both maintain and improve our security posture?
- Are the strategies working?
- Are they up to date?
- Are they enabling our vital business systems?
- What needs to be adjusted or changed?
Departments should always be able to collaborate on reviewing and optimizing company security strategy, and executive teams and boards of directors should always be enabled to report on risks and risk management. If the review cycle is effective and processes are shown to be working well, then the organization has a plausible defense against security breach lawsuits that are now possible in some states due to recent legislation. If they aren’t working well, then executive teams risk becoming that Wall Street Journal headline for the wrong reasons.
In its ideal state, cross-company collaboration on security looks something like this:
- The organization’s security posture is usually broken down into simple, easy to understand metrics, such as number of current risks, security incidents, remaining vulnerabilities, or any legal requirements.
- The security posture can be measured and quantified in business terms, such as monetary value, reputation value, and industry position.
- The flow of information on security strategies, processes, and monitoring runs both into and out of each department.
- Executive leadership takes input from teams and uses it to make decisions on the security posture of the company, and they prioritize focus on areas of concern based on measured risks to the company.
- New risks are identified, discussed, and prioritized by the executive team and authorized individuals.
- If the security posture drops – meaning the metrics change for the worse – the leadership team takes action, because there is a possible new risk on the table.
A clear sign of an ideal state of cross-company collaboration on security is that prior risks reach one of three states: mitigated, transferred, or accepted – and this shows up in a formal risk register.
Mitigating risk reduces or eliminates the potential of occurrence or harm, such as closing security loopholes or instigating standard remediation systems, like 3-2-1 Back-up.
Transferring risk is achieved by outsourcing the potential for harm, such as investing in cyberinsurance to protect against the cost of a malware attack.
Accepting risk is necessary when a risk cannot be fully mitigated or transferred, and the organization must take the chance of breach or harm. In this case, the owner of a system that carries an accepted risk must work with the leadership team to address it directly, such as wrapping mitigating controls around a vital system or segregating an old system.
3 Steps to Improve Processes
When my team executes a full security assessment and advisory service for clients, I rarely see that ideal state of cross-company collaboration on security at the beginning of an engagement. To address the gaps, I learn the business from the top down and design clear remediation steps based on the specific needs of the organization and industry requirements. While I always recommend deploying Taos services as a best practice, there are three remediation steps you can take to help improve your cross-company collaboration processes:
- Automate the data needed for making decisions. This will greatly improve the quality of security decisions, since it will enable leadership to extrapolate from data rather than from emotion or gossip. This could include vulnerability reports from any test or process monitoring results set up in dashboards, but all security tools will report this data automatically if set up properly.
- Implement a reporting architecture. This should be a closed feedback loop to the executive leadership team that reduces the data into metrics which align with business objectives, such as the financial risk of vulnerabilities or business continuity risk.
- Create a circle of shared information. Reporting architecture should be combined with departmental feedback to provide data to the executive leadership team, and communication on policy and procedure should be shared with departmental teams. Create communication programs such as meetings or documentation to pass information around the organization. Create councils of departmental leaders who can direct teams to take action. Deploy official security champion programs, making sure to include important but often overlooked departments, such as HR and Legal.
What’s next?
Once your cross-company collaboration on security is working well, what’s next is taking all of these processes and moving them into code. We’ll tackle that in the next Security Blog Series post: Company as a Service.