In almost all my daily conversations with clients, the topics of security or mitigating risk seem to be at the forefront of their minds. Companies and individuals seem to be a daily target, and why not? If you look at today’s trends it’s easy to understand the motivation of the criminal and the vulnerability of the company or individual.
Consider these top trends in our cyber world today:
- Increase in business networks complexity
- Bigger networks
- Lack of visualization to recognize attacks and ploys
- Less trained network employees
- Increasing criminal motivation
- Huge increase of information online
- More money on the net
- Increasing commoditization of weapon-focused software
- Hack for pay
- Tools to hack for pay
- Including specialized attack methods and support
- Lack of user knowledge
- More users
- More access methods
- No training
Recently I was in strategy discussions with a superintendent and director of technology of a large school district. The topic of cloud computing and concerns of security came up. I was asked by the director of technology, “How can I be guaranteed, in writing, that my information will be 100 percent safe in the cloud?” I immediately turned to the superintendent and said, “Mr. Soup, I am planning to send my daughters to this school, but before I do, I want you to guarantee me, in writing, that they will be 100 percent safe while on this campus.” He laughed, but also realized the impact of the analogy statement.
Overcoming security concerns is all about educating the customer
More often than not, when the topic of security comes up one of the following tends to happen with sales staff:
- They shy away from the topic or wait until an SME can come in to talk with the client
- It gets so far into the weeds that everyone is left in a confused daze with no action taken.
- The client is alienated through interrogation.
However, I have found that laying out a framework for the “security conversation” not only allows for a good business conversation, but it helps educate the client in the process and opens possible gaps or needs that we can fulfill. The framework for the security conversation is as follows:
Start at a high level with the CIA principle:
A simple but widely applicable security model is the CIA triad. CIA is a widely used benchmark for evaluation of information systems security, focusing on the three core goals of confidentiality, integrity and availability of information.
- Confidentially: Confidentiality revolves around the principle of “least privilege.” This principle states that access to information, assets, etc., should be granted only on a need-to-know basis so that information that is only available to some should not be accessible by everyone.
- Integrity: Integrity makes sure that the information is not tampered with whenever it travels from source to destination, or even stored at rest.
- Availability: Ensures the services of an organization are available.
Identify Specific Needs:
- Access: This is a predetermined level of access to resources of information.
- Access talking point:
- Access Control – Ensure that only legitimate users/traffic are allowed on the network or on network devices.
- Authentication: The positive identification of a device or individual seeking access to secured information, services or resources on the network.
- Authentication talking point:
- Encryption – Ensures data cannot be intercepted or read by anyone other than the intended party involved.
- Accounting: This is simply the visibility or logging of use of each resource on the network.
- Accounting Talking Point:
- 24/7 management and monitoring: Oversight and Insight for critical devices including servers, infrastructure and peripheral devices
Look to Apply or Maintain Safeguards:
- Physical: Physically secure all computing and data storage equipment that houses or transmits organization data and sensitive information.
- Make sure access to the data center is restricted to authorized personnel
- If utilizing a cloud partner, make sure they are compliant and so are you: SSAE 16, HIPAA, PCI etc. This will give you confidence that the company follows the most rigorous standards for controls and safeguards available when hosting or processing your data
- Administrative: Institute a security policy, including documentation of data handling procedures specific to your company or organization.
- Proper handling of confidential information and equipment that access that information.
- Proper password management, including the use of complex passwords and regular resetting of network passwords (e.g., every 90 days).
- Technical: Utilizing software, expertise, and implementing benchmarks and layers to ensure heightened security.
- Access controls/single sign on
- Backup and disaster recovery plan for if a disaster strikes and what should be accounted for regarding data backup, and restoration.
Utilizing all of these tactics and concepts will not only make the security conversation easier, it will make everyone feel a lot more comfortable about security in general.