IT security: How to put the genie back in the bottle

IT security: How to put the genie back in the bottle

Summary: It’s time to rethink the way an organization approaches security and compliance.

TOPICS: Security

Commentary -Regulatory compliance, cyberattacks, insider threats… the list goes on. Gaining control over IT security is a big messy problem for most large organizations, and getting worse with increasing regulatory requirements, more targeted attacks from criminal groups, and the potential for insider abuse. While security can equal compliance, compliance does not equal security.

Since these threats are persistent — point-in-time compliance approaches to security are doomed to fail. Instead, a risk-based approach to security recommended by organizations like the National Institute of Standards and Technology (NIST) is the best approach.

The dilemma
For many years, complying with government standards and industry regulations was seen as an obligatory check box in the lengthy list of IT security tasks. But with more than 855 security incidents reported in 2011 affecting more than 174 million records , it’s time to rethink the way an organization approaches security and compliance.

Due to the potential physical and economic repercussions of attacks against critical infrastructure and information systems, cyber security has captured the attention of many CISOs, boards of directors, and even the legislature. New regulatory guidelines such as the SEC cyber guidance and mandates such as FISMA, FedRAMP, and NIST SP 800-137 have emerged and require continuous monitoring of an organization’s compliance and security posture. The ultimate goal is to increase situational awareness, streamline remediation actions to minimize the attack surface, and lower the overall risk and business impact for an organization.

To achieve a context-aware, risk-based view across IT, security, and business operations, organizations are turning to Security Risk Management. This requires combining threat intelligence, vulnerability knowledge, compliance, and business impact assessments. By making risk visible, measurable, and actionable, organizations can make better business decisions, reduce cost, and decrease risk.

Continuous compliance
Without knowing the organization’s compliance posture, which requires insight into compensating controls, control failures, and automated assessment findings, decision makers do not have sufficient context to determine their risk posture. Thus, it is essential to automate governance and compliance processes as much as possible to maintain an almost real time view into compliance.

When automating IT compliance programs, organizations should follow a data-driven rather than a process-driven approach. Integrating data feeds from a variety of IT and security tools for performing assessment, monitoring, and documenting of security controls will provide continuous visibility into the current compliance posture. Furthermore, using cross-mapping of security controls to specific regulations and industry standards, enables a “test-once, comply-to-many” approach. This allows IT staff to document compliance to multiple regulations and standards using fewer steps and resources.

Continuous monitoring and automated remediation
To defend against the persistent threat from sophisticated cyber-attacks, it’s critical to streamline security intelligence gathering and analysis, as well as risk remediation. A recent market research study conducted by Evalueserve on behalf of McAfee found that many organizations are struggling to balance regulatory compliance within an ever-changing threat landscape.

Despite using a bevy of security solutions including perimeter intrusion detection, signature-based malware, and anti-virus solutions, etc., most organizations are unable to stay ahead of emerging threats. That’s because security tools operate in a silo-based fashion and are not integrated and interconnected to enable closed-loop, continuous monitoring. Furthermore, the majority of existing security products lack the ability to assign risk-based prioritization. They produce a wealth of data logs, but do not indicate which vulnerabilities need to be mitigated first.

To achieve continuous monitoring, the management of security vulnerabilities and incidents must be prioritized based on risk exposure and impact to the organization. Progressive Security Risk Management tools assist organizations in overcoming these challenges by mapping security controls and vulnerabilities to key risk indicators in real time. They can also perform risk assessments on security incidents and vulnerabilities, and prescribe automated remediation based on policies.

Increasing operational efficiency
Applying Security Risk Management concepts can dramatically increase operational efficiency by:

  • Making threats and vulnerabilities visible and actionable
  • Centralizing security intelligence, streamlining processes, and adding automation
  • Providing continuous risk posture assessment and measurement
  • Eliminating duplication of compliance efforts across different standards and frameworks
  • Streamlining collaboration between security and IT operations teams

Reigning in IT security, regulatory compliance, and IT operations is no easy task. However, by using the Security Risk Management principles described above and with the right amount of planning it is possible to put the IT security genie back in the bottle and keep it there.

Torsten George is vice president Worldwide Marketing and Products for IT security and risk management vendor Agiliance.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Waaaay to much jargon

    Increasing inter-company data sharing about new threats was the whole point of CISPA.

    I'm not saying that the point is wrong, but the author is the VP of marketing for a IT security vendor arguing that the solution is to use IT security vendors. This may not have been immediately clear from the article since there were soo many business terms and jargon to wade through.
    • Jargon and Obfuscation is how he makes his money

      Most folks (including CIO's) will look at the mess a of Eye-Bleed and say that is why I hired the the guys in the information Protect Dept. or what ever they call IT security. It all boils down to
      1. Buy an AV product you can manage.
      2. Keep your machines patched centrally (that really ishould be number 1)
      3. Make sure your Devs don't do stupid stuff (IE create web facing code vulnerable to XSS attacks)
      4. Encrypt your Mobile Devices.
      5. Quit trying to protect everything. Figure what your crown jewels are and protect those.
      6. Put your BYOD devices in a Sandbox so they can't touch anything important. (citrix VMWare whatever)
      7. (re)Educate your employees on the evils of phishing and scams (See #3 for your Devs)
      8. Run some kind of audit (like foundstone) to check 1 and 2
      9. Rund background checks on your employees
      10. Stay away from IT security consulting firms they charge you big money for ton of custom PDF's that detail steps 1-9