Commentary -Regulatory compliance, cyberattacks, insider threats… the list goes on. Gaining control over IT security is a big messy problem for most large organizations, and getting worse with increasing regulatory requirements, more targeted attacks from criminal groups, and the potential for insider abuse. While security can equal compliance, compliance does not equal security.
Since these threats are persistent — point-in-time compliance approaches to security are doomed to fail. Instead, a risk-based approach to security recommended by organizations like the National Institute of Standards and Technology (NIST) is the best approach.
For many years, complying with government standards and industry regulations was seen as an obligatory check box in the lengthy list of IT security tasks. But with more than 855 security incidents reported in 2011 affecting more than 174 million records , it’s time to rethink the way an organization approaches security and compliance.
Due to the potential physical and economic repercussions of attacks against critical infrastructure and information systems, cyber security has captured the attention of many CISOs, boards of directors, and even the legislature. New regulatory guidelines such as the SEC cyber guidance and mandates such as FISMA, FedRAMP, and NIST SP 800-137 have emerged and require continuous monitoring of an organization’s compliance and security posture. The ultimate goal is to increase situational awareness, streamline remediation actions to minimize the attack surface, and lower the overall risk and business impact for an organization.
To achieve a context-aware, risk-based view across IT, security, and business operations, organizations are turning to Security Risk Management. This requires combining threat intelligence, vulnerability knowledge, compliance, and business impact assessments. By making risk visible, measurable, and actionable, organizations can make better business decisions, reduce cost, and decrease risk.
Without knowing the organization’s compliance posture, which requires insight into compensating controls, control failures, and automated assessment findings, decision makers do not have sufficient context to determine their risk posture. Thus, it is essential to automate governance and compliance processes as much as possible to maintain an almost real time view into compliance.
When automating IT compliance programs, organizations should follow a data-driven rather than a process-driven approach. Integrating data feeds from a variety of IT and security tools for performing assessment, monitoring, and documenting of security controls will provide continuous visibility into the current compliance posture. Furthermore, using cross-mapping of security controls to specific regulations and industry standards, enables a “test-once, comply-to-many” approach. This allows IT staff to document compliance to multiple regulations and standards using fewer steps and resources.
Continuous monitoring and automated remediation
To defend against the persistent threat from sophisticated cyber-attacks, it’s critical to streamline security intelligence gathering and analysis, as well as risk remediation. A recent market research study conducted by Evalueserve on behalf of McAfee found that many organizations are struggling to balance regulatory compliance within an ever-changing threat landscape.
Despite using a bevy of security solutions including perimeter intrusion detection, signature-based malware, and anti-virus solutions, etc., most organizations are unable to stay ahead of emerging threats. That’s because security tools operate in a silo-based fashion and are not integrated and interconnected to enable closed-loop, continuous monitoring. Furthermore, the majority of existing security products lack the ability to assign risk-based prioritization. They produce a wealth of data logs, but do not indicate which vulnerabilities need to be mitigated first.
To achieve continuous monitoring, the management of security vulnerabilities and incidents must be prioritized based on risk exposure and impact to the organization. Progressive Security Risk Management tools assist organizations in overcoming these challenges by mapping security controls and vulnerabilities to key risk indicators in real time. They can also perform risk assessments on security incidents and vulnerabilities, and prescribe automated remediation based on policies.
Increasing operational efficiency
Applying Security Risk Management concepts can dramatically increase operational efficiency by:
- Making threats and vulnerabilities visible and actionable
- Centralizing security intelligence, streamlining processes, and adding automation
- Providing continuous risk posture assessment and measurement
- Eliminating duplication of compliance efforts across different standards and frameworks
- Streamlining collaboration between security and IT operations teams
Reigning in IT security, regulatory compliance, and IT operations is no easy task. However, by using the Security Risk Management principles described above and with the right amount of planning it is possible to put the IT security genie back in the bottle and keep it there.
Torsten George is vice president Worldwide Marketing and Products for IT security and risk management vendor Agiliance.