Burwood Group

View Original

5 Keys to Create Proactive Security through Service Management

Preventing cybersecurity events has far-reaching financial and reputational benefits. The news is flooded with examples of the high price organizations pay when a security event occurs. For example, a cyberattack caused a projected loss of up to 28% in sales for Clorox and an adjusted loss of up to 40 cents a share.

Without adequate processes, you risk a financial hit to find and fix an emergency, plus the costs and impact of financial recovery, legal recourse or prosecution, and regulatory fines. Additionally, there is the lasting damage security events can pose to your reputation. In 2023 alone, 40 million US patients’ data was compromised, the private data of nearly 100,000 Ashkenazi Jew users of 23 and Me is being sold, and 40 million voters’ data were potentially stolen from the UK’s electoral commission. 

Staying Ahead of the Threat

If you want to know five ways and strategies to stay ahead of Cyber threats proactively and strategically, read on… 

What if you could turn back time and minimize the damage or even stop security events by strategically, proactively, and holistically improving your cybersecurity posture and approach?  

To do so requires time and resources to establish a system to protect your business. It may be easier to prioritize security after an incident that is already too late. You will benefit from resources focused on strategic innovations that change, grow, and protect the business. The alternative is reactivity purchasing and maintaining strategically disconnected and siloed technologies across the environment. These merely monitor and respond to cyber events that only assist your already overtaxed resources in reacting to and recovering systems, data, and reputation or maintaining the business. A little time now to establish the system will save you time and money in the long run. 

Strategic and Proactive Cybersecurity Through Service Management

The whole point of an integrated service management system (SMS) is to strategically plan for, deliver, and protect business value with investments in Information Technologies and services.

Security (including cybersecurity) is a key business value of all IT services provided to the enterprise. This must be strategically accounted for throughout the IT investment value life cycle.

Why Service Management?

By implementing, integrating, and improving service management system practices, you’ll streamline IT operations, improve service quality and cybersecurity, enhance Business Intelligence (BI) in decision-making processes, and foster a culture of knowledge sharing, trust, and continuous improvement. 

How to Improve Cybersecurity with Service Management

It’s one thing to aspire to have an integrated SMS and supporting SKMS. But, you will need to have a holistic business outcomes approach. By integrating key strategic business capabilities, you can implement or improve your Service Management System to maximize your security position. Organizations saved approximately $470,000 during a data breach when they had more proactive and risk-based vulnerability management.

5 Keys to Creating Strategic and Proactive Cybersecurity

  1. Formal, Strategic and Proactive IT Engagement with the Enterprise 

  2. Enterprise Architecture (EA) capability 

  3. Data Loss Prevention (DLP) 

  4. Application Security 

  5. Threat Detection 

The first two are a bit more complex and strategic than the others. These may be more appropriate for large, complex organizations. However, they can enable smaller organizations to grow and scale. Growth would certainly be compromised without  IT engagement and enterprise architecture. In fact, without them, greater investments in the last three would have to be made to compensate for the gaps, including investments in human resources needed to manage cybersecurity.

1 – Formal, Strategic and Proactive IT Engagement with the Enterprise 

What is a Strategic and Proactive IT Engagement with the Enterprise?

A strategic IT engagement with the Enterprise for cybersecurity is a formalized, continuous, and strategic business relationship between an Enterprise Department or Business Line process stakeholder and Enterprise Architecture (EA) facilitated by a “Strategic Engagement leader“ role. 

This “Strategic Engagement leader” is responsible for proactively ensuring Enterprise Strategy, Policy, Risk Management, and Cybersecurity policy and standards alignment between the Enterprise, the business line, and IT. This person is also a key contributor to Enterprise Architecture in the planning and maintaining reference architectures, technology standards, and IT capabilities needed to deliver stakeholder outcomes, including specific Security / Cybersecurity objectives. 

Common roles or titles of a “Strategic Engagement leader”: 

  • Business Relationship Manager (BRM) ITIL / ITSM 

  • Business Analyst (BA) 

  • Program Manager 

  • Business Architect 

  • Product Owner (Agile) 

  • Others… ( see COBIT / SFIA) 

Why have a Strategic and Proactive IT Engagement with the Enterprise?

A Strategic IT engagement with the Enterprise delivers strategic, proactive, and continuous… 

  1. Customer service 

  2. Enterprise Security/Cybersecurity Strategy, Policy, and Risk Management alignment between Enterprise, the business line, and IT. 

  3. Cybersecurity capabilities that support the stakeholders’ strategic marketing/advertising plans and programs, sales/production capabilities.  

  4. Cybersecurity capabilities specific to stakeholder data types, regulatory and legal requirements, or other specific business process capabilities of their stakeholder’s business capabilities and processes.  

  5. Innovation. Forecasting and planning for new technology business capabilities to create new business capabilities. 

How to Create a Strategic IT Engagement with the Enterprise

  1. Identify the scope of the person (a Strategic Engagement Leader) who would own the relationship with a business stakeholder. 

  • Identify the target business line(s), department(s), or a subset of business processes in a business line or department.

  • Identify the business stakeholder accountable for the performance and outcomes of the critical business processes of the target enterprise, department, or business line strategic to growing, changing, and protecting the business (Informed by Business Continuity). e.g., Sales, fulfillment, accounts receivable, supply chain, customer care, logistics, etc. 

  • Identify the Industry, regulatory, risk management, and cybersecurity requirements of these critical business processes. e.g., Application Security, data encryption, segregation of systems/data, data loss prevention, monitoring/threat detection. 

2. Identify (train or hire) the person with the most knowledge about the stakeholders’ Industry, regulatory, risk management, and cybersecurity requirements of the critical business processes strategic to growing, changing, and protecting the business. 

  • Advanced capability, experience, or knowledge: Business Architecture, Business Process Management (BPM) with Business Process Modeling Notation (BPMN) language expertise. A common modeling language that's readily understandable by all business stakeholders. This includes the business analysts who create and refine processes, the technical developers responsible for implementing them, and the business users who monitor and manage them. 

3. Establish an agenda and regular interface (meetings) between the “Strategic Engagement Leader” and the business stakeholder to review and capture: 

  • Enterprise/business line mission and plans

  • Enterprise/business line strategic initiatives

  • External constraints

  • Current systems and technology

  • Emerging industry trends

  • Examples of agenda topics common with Enterprise Architecture: 

  • Risk Management Registry – known cybersecurity threats and mitigation plans – business continuity plan. 

  • IT Service / Application Performance Review (Cybersecurity events) 

  • Business process improvement plans 

  • 3 to 5-year Business Strategic Plan 

  • Strategic plan for new capabilities, processes, and/or IT services, applications, and technologies e.g., reference architectures for Application Security, data encryption, data segregation, data loss prevention, monitoring/threat detection. 

  • Retiring IT services, applications, capabilities, and/or technologies. 

4. Establish an agenda and regularly scheduled interface (meetings) between the “Strategic Engagement Leader” and Enterprise Architecture to review the same items as #3 above.

5. Leverage an integrated SMS and supporting SKMS (common data repository) of related strategic knowledge assets (outlined above) to enable real-time investment decision support access and updates by the business stakeholder, Enterprise Architecture, and the Strategic Engagement Leader. 

2 - Enterprise Architecture Capability

What is an Enterprise Architecture Capability?

Enterprise Architecture (EA) provides an integrated, holistic view of the organizational landscape which enables strategic decision-making providing best practice business and technology trend adoption.

EA strategically and proactively investigates, plans/budgets for, and adopts “Service Oriented Architectures” (SOA) through its regular interface with “Strategic Engagement Leaders”..” EA develops standards for technologies and infrastructure (reference models or architectures) that are designed with cybersecurity capabilities specific to each business activity or business process and the data each creates and uses.

Through its regular interface with “Strategic Engagement Leaders,” EA also brings new cybersecurity threats, mitigation capabilities, and technologies to the awareness of their business stakeholders.

Strategic Enterprise Architecture is typically informed by the “Strategic Engagement Leaders” with the following:

  • Enterprise/business line mission and plans

  • Enterprise/business line strategic initiatives

  • External constraints

  • Current systems and technology

  • Emerging industry trends

Why have an Enterprise Architecture Capability for Security?

Designing cyber secure SOA / reference architectures not only delivers business outcomes instantly but also delivers the operational capability to prevent, quickly respond to, isolate, or quarantine a cyber event in the architecture. This capability minimizes the impact and scope of the event. That agility is critical to cybersecurity capabilities, business continuity, and innovation.

A strategic engagement with an EA capability by business line “Strategic Engagement Leaders” enables:

  1. Three-to-five-year planning for each business line’s technology and infrastructure architecture

  2. Automated, or Rapid, Response to, and mitigation of, cyber threats and events

  3. Implementation / Deployment (CI / CD) capability – Agile

  4. Innovation

Without a strategic EA capability, an organization will react to cyber events without a continuity plan too late, thus compounding an already impactful event and diverting critical resources from other strategic business activities.

How to Establish an Enterprise Architecture

EA cybersecurity standards are created, informed, and established by enterprise domain subject matter experts in EA and/or can be composed of SME’s from IT Operating Practices and technical domains.

The effective delivery of EA cybersecurity standards is both enabled and supported by the following:

  1. An integrated Service Management System (SMS) IT Operating Practices like Asset Management, Event Management, Incident Management, and Configuration Management with the supporting SKMS repositories. 

  2. The continuous maintenance of the three-to-five-year plan (with “Strategic Engagement Leaders”) for each business line’s technology and infrastructure architecture, including the planned strategic future state, current state, and retirement of infrastructure cybersecurity capabilities that support business processes and strategic outcomes.

    Common elements included in the EA cybersecurity plan include: 

  • Network Security. 

  • Endpoint Security

  • Vulnerability Management

  • Firewalls and Intrusion Detection and Prevention Systems (IDPS)

  • Malware Protection

  • Data Loss Prevention

  • Access Control

  • Application Security

  • Incident Response

  • Threat Detection

3 - Data Loss Prevention (DLP)

What is Data Loss Prevention (DLP) for Cybersecurity?

DLP provides guidelines, best practices, and compliance frameworks to help organizations protect sensitive or confidential data from unauthorized access, disclosure, or loss. 

Why Data Loss Prevention for Security?

Not being able to identify, monitor, and control data access and transmission exposes the enterprise and its customers to risk, reputational, and financial loss. DLP standards provide a structured approach to identifying, classifying, monitoring, and controlling data to prevent accidental data breaches. 

How to Implement Data Loss Prevention for Security

DLP starts with the Strategic Engagement Leader’s regular interface with their business stakeholder, supporting alignment between the Enterprise, the business line, and IT. This person is also a key contributor to Enterprise Architecture in the planning and maintaining reference architectures, technology standards, and IT capabilities needed to deliver stakeholder outcomes, including specific DLP / Security / Cybersecurity objectives.

The “Strategic Engagement Leader” seeks the following DLP input from the business stakeholder to implement a strategic and proactive DLP capability:

  1. Data Classification

  2. Data Discovery

  3. Data Monitoring

  4. Data Encryption

  5. Access Controls

  6. Data Handling Policies

  7. Incident Response

  8. Compliance Requirements

  9. User Training and Awareness

  10. Endpoint Security

  11. Data Loss Prevention Solutions

4 - Application Security

What is Application Security?

Application Security, specifically the Application Security standards of Application Development, are a set of guidelines, best practices, and requirements designed to ensure the security of software applications throughout their lifecycle.

Why Application Security?

Application Security standards help organizations develop and maintain more secure applications, reduce vulnerabilities, and mitigate potential risks associated with software development and deployment. These standards aim to identify and mitigate vulnerabilities and threats that could potentially lead to security breaches, data leaks/loss, or other forms of cyberattacks.

Application Security standards cover various aspects to create more secure and resilient applications.

How to Implement Application Security

Implementing Application Security is first informed by Enterprise Architecture, DLP, and the “Strategic Engagement Leader” and must account for all the business, EA, and DLP requirements throughout the development lifecycle.  

 Key capabilities of Application Development needed to deliver Application Security include: 

  1. Secure Coding Practices

  2. Authentication and Authorization

  3. Data Protection

  4. Input Validation

  5. Security Testing

  6. Secure Configuration

  7. Error Handling and Logging 

  8. Patch Management

  9. Secure Deployment

  10. Systems Development Lifecycle (SDLC)

  11. Third-Party Components

5 - Threat Detection

What is Threat Detection?

Threat Detection, also known as Monitoring and event detection, requires a proactive investigation and awareness of developing threats by skilled cyberthreat analysts who are members of special interest communities interested in efforts to compromise digital systems.  

Why Threat Detection to Improve Security?

If Application, DLP, and infrastructure monitoring (Threat Detection) are not delivered through strategic and proactive Architecture and Application Security standards, the organization is at much greater risk.  

  • Resources are not enabled to succeed. They must react to security events that may have become widespread with limited information or anecdotal evidence and with limited technical capability to identify, isolate / quarantine, remediate, or eliminate the threat in a timely manner. 

  • It also makes it extremely difficult to identify root causes and prevent future security events.  

  • In addition, implementing and supporting one-off cybersecurity or threat detection solutions without the Architecture and Application Security standards already baked in contributes to the proliferation of technologies and dilutes the leveragability of resources and IT investments.

How to Implement Threat Detection

Threat Detection is in the scope of EA and informed by Application Security and DPL standards (among others) along with technical domain SMEs. All or some of these resources would potentially be members of Enterprise Architecture to provide immediate design inputs and technology recommendations to EA to prevent future cyber threats.

As members or contributors to EA, these resources would develop and maintain the library of known threats, monitoring technologies, and threat attributes to monitor for event correlation to known response/remediation and notifications/escalations based on severity. 

Ready to implement proactive security measures with Burwood’s experts?


References:

  • 28% in sales for Clorox and an adjusted loss of up to 40 cents a share

  • 40 million US patients’ data was compromised

  • The private data of nearly 100,000 Ashkenazi Jew users of 23 and Me is being sold

  • 40 million voters’ data were potentially stolen from the UK’s electoral commission.

OCTOBER 10, 2023

See this gallery in the original post