CIO OPINION
On top of creating the policies , businesses should also devise a playbook .
your requirements – perhaps they cannot offer single sign on . Yet , if they can still provide the same security through other controls then that is okay .
It really also comes down to risk acceptance and a cost-benefit analysis . For example , a survey product that does not store customer data or anything that could be used or manipulated by an attacker might be considered low or no risk . In this case , stringent measures may not be as essential .
Building your playbook
On top of creating the policies , businesses should also devise a playbook : something that you can reference every time an incident or the like , occurs . It is a manual that provides the action items against policies , determining the next steps , requirements , what analysis should be conducted etc .
Frequently , once policy is written , it does not get followed or teams pick and choose when they are applied meaning products are being adopted without as much scrutiny . By having a playbook on hand , we can make sure that all new products are being treated in the same way to lessen the attack surface . your inventory , all the applications and services in your portfolio and being aware of each of their capabilities .
Examining SOC 2 reports and pulling together a centralized repository of what each application is capable of , is critical . From there , you organize each application by risk based on the type of information or services they provide and store .
Usually , this can be broken up into distinct groups of risk and analyzed in turn starting with the riskiest : the first being the applications that contain sales or customer information and other confidential business processes .
Looking to the future
Though we have looked at the need for a modern security policy to meet today ’ s challenges , it is important to remember that the landscape continues to evolve even as we speak , and policies must adapt accordingly .
Looking forward to the next year or two , I believe we will need to further the use of products like the YubiKey . This is a piece of hardware , a physical MFA device , with WebAuthn technology built into it .
It will help in eradicating social engineering attacks that target credentials ; as even if they are stolen , the attacker will need access to this physical device . Granted , this does introduce an element of physical security but the risk and subsequent cost of a breach conducted online is magnitudes larger than that presented by a stolen device .
In order to properly design this and secure buy-in , it is crucial that business stakeholders understand the risks that exist and what the policy is trying to accomplish . Considering all the headlines we see today about cyberattacks , this should be a fairly straight-forward undertaking .
Indeed , an attacker would have to individually steal each of these devices and find the correct combination of access levels to succeed in a breach , that today , can be completed remotely with just a few clicks .
Concluding thoughts
The next step is looking at what business processes are at work . How do things flow into the organization ? How are requests made to procure new services ? This might mean working closely with procurement , finance and information security teams , so that any time someone wants to bring in a new service , it goes through the process dictated by the playbook .
If the product does not meet the policy , then it ’ s time to set up a call with the vendor to work with them on plans to mitigate risk .
Then , we need to test that the playbook is serving its purpose . This is the tricky part but one of the first things to do is understand your attack surface : identifying
Though our technologies have evolved to meet our hybrid working needs , security policies appear to have remained stagnant . In fact , many enterprises , both large and small , are neglecting to extend security baseline checks to the third-party service providers they are choosing to work with .
It is time this changed and one of the best methods of making sure policies work in practice is by creating a playbook . Exceptions should also be held to the bare minimum and only permitted following a thorough cost-benefit assessment . Having too many exceptions introduces risk . And over time , you will end up having to play catch up : juggling to clean up the applications you have as well as controlling the flow of new products . p
46 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com