We recently revisited a 2011 McKinsey article, “Meeting the Cybersecurity Challenge,” which made several points that hold up in today's environment:
- Leaders should adopt approaches to cybersecurity that will require much more engagement from senior executives to protect critical information without constraining innovation and growth.
- Taking a purely technical approach to solving the problem, or at least part of the problem, can often have a negative effect by too tightly constraining how partners, suppliers, customers and employees interact with applications, data and physical infrastructure.
- Businesses are still moving towards addressing cybersecurity as part of their overall strategy, rather than just from a technology perspective.
- Leading organizations are still shifting their focus away from perimeter security and locking down devices or locations. Instead, they are paying more attention to roles all along the value chain and securing data.
Threats are coming at an increasing pace, are constantly evolving, are very complex, and are highly sophisticated. Large organizations continue to have highly public security breaches with no end in sight. The negative impact of many of these breaches are forcing cybersecurity as a common agenda item at the top management level.
Historically, information security has been handled by perimeter security experts leveraging firewalls, and information security departments managing authentication and authorization rights. A much more comprehensive security architecture or model can be developed by looking holistically across processes, application and data architectures, roles, access/authority rights, and perimeter security.
Expanding on one of McKinsey’s examples, by having credit card numbers in one database, expiration dates in another, names in another, and addresses in a fourth, a cyber criminal would have to breach security multiple times, or ways, to get valuable information. Each component of the information can be linked together with a unique identifier stored in an identity vault (the most secure form of database).
More than typical agency process participants, malicious system administrators, database administrators and application developers can pose a huge risk to federal agencies. By architecting the separation of role-access to collectively sensitive data (e.g., an administrator may be able to access credit card numbers, but not name or expiration date) in the identity management system, and implementing automated rules or policies to identify and mitigate infractions, risks can be greatly minimized while allowing processes to perform smoothly and efficiently. The security model is even more complicated when cloud-based storage, infrastructure or applications are prevalent in a large agency.
Based on our extensive experience in both private and federal sectors, we’ve identified six steps to move toward a more efficient cybersecurity model:
- Insist on leadership involvement and include both business and technology perspectives. This is easy to say, but in many organizations it can be difficult for two main reasons. 1 – Many leaders feel they are responsible for running the operations and strategy and are not overly interested in the details and complexity associated with solving cybersecurity issues. 2- Technologists and process engineers are not accustomed to communicating complex security solution options effectively to senior management.
- Classify data risk across the organization and the entire value chain (e.g., where it is accessed by suppliers, partners, employees, customers). Developing a framework by which to evaluate and classify data is very achievable. Developing consensus with top management on whose data is more critical to the operation of the agency is often where the more difficult challenges arise. With the sensitive data identified, efforts can be focus on securing the highest risk data. This is where dis-aggregating data into less sensitive subcomponents, such as separating credit card numbers and expiration dates into different databases, can greatly simplify the risk mitigation task.
- Identify which processes and process participants access sensitive data or make use of applications that use sensitive data. Changing the way a process accesses data can be the simplest, and least technical, approach to mitigating security issues. Separation of duties in financially significant processes is a common practice, such as the person who writes the checks can not also sign them. The same concept can be applied more broadly to secure other types of sensitive data at the process level.
- Determine which applications have access to what data (at least for the high-risk data). A little used approach to reduce cybersecurity threats is separating application functionality and access rights to data bases on security sensitivity. As the complexity and negative impact of these threats continue to increase, this application architecture approach will become more prevalent. Going back to the credit card example, an application subsystem that is highly secure from both a physical and a logical perspective could be the only application that accesses the credit card expiration date. That subsystem could then provide the core credit card processing application a “valid” or “invalid” judgment rather than the actual data.
- Balance security effort, expense and impact on the organization against the risk profile of the data. Focus remediation on the most critical data in the organization i.e., don’t polish acorns in the backyard. Many organizations apply common security techniques to vast amounts of information. For the initial basic layers of security, that’s ok, but the highest risk data should be addressed differently than the general operation data.
- Develop a comprehensive security architecture or model by looking holistically across all processes, application and data architectures, roles, access/authority rights, and perimeter security. The layered approach works well for the majority of data in a large organization. At the center, multiple approaches should be used to secure the most sensitive data. That way, a perpetrator may figure out how to access one element of sensitive data, but the techniques are useless to wreak broader havoc.
To be successful, Cybersecurity must:
- Be a consistent agenda item for the executives because it will continue to evolve with business and technology change
- Be cross-functional in composition to ensure your company's needs and information security are both appropriately considered across the organization
- Balance the effort and cost of security against the risk of exposure
- Leverage organizational processes, application and data architectures, roles, access/authority rights, and perimeter security to create the appropriate level of security based on the risk associated with potential exposure.
- Develop solutions that cut across strategy, operations, risk management, legal and technology functions