A recent McKinsey Quarterly article, “Meeting the Cybersecurity Challenge,” made several good points including:
- Corporations must adopt approaches to cybersecurity that will require much more engagement from the CEOs, Boards and other senior executives to protect critical business information without constraining innovation and growth.
- Over the past five years, hundreds of millions of dollars have been spent to leverage technology and process change to address cybersecurity threats.
- Taking a purely technical approach to solving the problem, or at least part of the problem, can often have a negative effect on the business by too tightly constraining how partners, suppliers, customers and employees interact with applications, data and physical infrastructure.
- Based on input received from interviews with information security leaders at 25 large corporations, there does seem to be a move to address cybersecurity as part of their business strategy, rather than just from a technology perspective.
- Leading corporations are moving their focus away from perimeter security and locking down devices or locations. Instead, they are paying more attention to roles all along the value chain and securing data.
There seems to be a consensus that threats are coming at an increasing pace, are constantly evolving, are very complex, and are highly sophisticated. Large enterprises continue to have highly public security breaches with no end in sight. The negative impact of many of these breaches are making cybersecurity a common agenda item at the Board level.
Historically, information security has been handled by perimeter security experts leveraging firewalls, and information security departments managing authentication and authorization rights. A much more comprehensive security architecture or model can be developed by look holistically across business processes, application and data architectures, roles, access/authority rights, and perimeter security. . Expanding on one of McKinsey’s examples, by having credit card numbers in one database, expiration dates in another, names in another, and addresses in a fourth, a cyber criminal would have to breach security multiple times, or ways, to get valuable information. Each component of the information can be linked together with a unique identifier stored in an identity vault (the most secure form of database in the enterprise).
More than typical business process participants, malicious system administrators, data base administrators and application developers can pose a huge risk to organizations. By architecting the separation of role-access to collectively sensitive data (e.g., an administrator may be able to access credit card numbers, but not name or expiration date) in the identity management system, and implementing automated rules or policies to identify and mitigate infractions, risks can be greatly minimized while allowing business processes to perform smoothly and efficiently. . The security model is even more complicated when cloud-based storage, infrastructure or applications are prevalent in a large organization.
Extrapolating from the article, I’ve identified six steps to move toward a Business-driven cybersecurity model:
- Have executive level involvement and include both business and technology perspectives: This is easy to say, but in many organizations it can be difficult for two main reasons. 1 – Many executives feel they are responsible for running the business and strategy and are not overly interested the details and complexity associated with solving cybersecurity issues. 2- Technologists and process engineers are not accustomed to communicating complex security solution options effectively to senior management.
- Classify data risk across the enterprise and the entire value chain (e.g., where it is accessed by suppliers, partners, employees, customers). Developing a framework by which to evaluate and classify data is very achievable. Developing consensus with executives on whose data is more critical to the operation of the enterprise is often where the more difficult challenges arise. With the sensitive data identified, efforts can be focus on securing the highest risk data. This is where dis-aggregating data into less sensitive sub-components, such as separating credit card numbers and expiration dates into different databases, can greatly simplify the risk mitigation task.
- Identify which business processes and process participants access sensitive data or make use of applications that use sensitive data. Changing the way a business process accesses data can be the simplest, and least technical, approach to mitigating security issues. Separation of duties in financially significant processes is a common practice, such as the person who writes the checks can not also sign them. The same concept can be applied more broadly to secure other types of sensitive data at the business process level.
- Determine which applications have access to what data (at least for the high-risk data). A little used approach to reduce cybersecurity threats is separating application functionality and access rights to data based on security sensitivity. As the complexity and negative impact of these threats continue to increase, this application architecture approach will become more prevalent. Going back to the credit card example, an application subsystem that is highly secure from both a physical and a logical perspective could be the only application that accesses the credit card expiration date. That subsystem could then provide the core credit card processing application a “valid” or “invalid” judgment rather than the actual data.
- Balance security effort, expense and impact on the business against the risk profile of the data. Focus remediation on the most critical data in the enterprise i.e., don’t polish acorns in the backyard. Many organizations apply common security techniques to vast amounts of information. For the initial basic layers of security, that’s ok, but the highest risk data should be addressed differently than the general business operation data.
- Develop a comprehensive security architecture or model by looking holistically across business processes, application and data architectures, roles, access/authority rights, and perimeter security. The layered approach works well for the majority of data in a large enterprise. At the center, multiple approaches should be used to secure the most sensitive data. That way, a perpetrator may figure out how to access one element of sensitive data, but the techniques are useless to wreak broader havoc.
To be successful, Cybersecurity must:
- be a consistent agenda item for the CEO and Board because it will continue to evolve with business and technology change
- be cross-functional in composition to ensure business needs and information security are both appropriately considered across the enterprise
- balance the effort and cost of security against the risk of exposure
- leverage business processes, application and data architectures, roles, access/authority rights, and perimeter security to create the appropriate level of security based on the risk associated with potential exposure.
- develop solutions that cut across business strategy, operations, risk management, legal and technology functions