By Michael Shatter, Partner, National Director, Security and Privacy Risk Services, RSM Australia
I know, I know, yet another article on cyber security. However, sometimes the only way to get a message across is to keep telling the story. There is no doubt, cyber security is in danger of becoming one of those issues where the message keeps being repeated, yet it remains a challenge to tackle it effectively and efficiently. In some way, the message about cyber security is not too dissimilar to Y2K (although many still are skeptical about the Y2K mania in any case).
There are similarities in that Y2K risks were difficult to see; just as cyber security risks are often difficult to see. That is, until a business-critical system is attacked by ransomware or malware infects your environment, although you only find out 7 months later when it is discovered that $100,000 has been transferred from your account and withdrawn from the bank with no recourse.
However, an important difference being that cyber risks can be more definitely be identified and mitigated. How? through structured testing, review and reporting procedures. The results of which provide empirical evidence of what the risk is and therefore affording the opportunity to at least make an informed decision on how the risk should be remediated. The skill is doing so in a way that aligns with the risk appetite and profile of the organization. Alignment is critical. Without alignment of the identified risks and mitigation strategies, there will likely be a mismatch between security risks, solutions, and strategies.
To provide the best understanding of an organisations security posture, it is not only the technical results of security testing that are relevant, it is an understanding of how security governance processes provide an envelope around the security and assurance activities. While the governance processes provides useful outputs in their own right, combining the two moves towards a balanced approach, involving both the performance of technical security testing and assessment of security governance procedures.
The IT industry is skilled in applying systematic, methodical and planned processes when it comes to activities such as systems development and testing. Therefore, it seems natural, that the same strengths in planning, preparation, delivery, and analysis are applied to security testing. Sure, the big end of town is resourced and doing this well. The challenge for small to medium size enterprises is applying this well-known approach to business units that may not be as well funded and where there are competing business priorities. I don’t need to state the obvious, that this is a challenge for many IT groups and management teams.
The opportunity to respond to this risk may be assisted by not only a risk-based approach on how resources are allocated to testing activities but to marry the risk analysis to an assessment of security governance processes. Technical security solutions (systems and devices) are an absolutely critical and necessary element, but I believe organisations should be structured as to how security is managed holistically across the business.
Develop a security testing plan that gives consideration as to what has or has not been security tested
The best way if translating this is to consider the following steps:
1. Develop a security testing plan that gives consideration as to what has or has not been security tested. A useful way to explain this is to liken it to how safety testing is often carried out in a manufacturing environment for the electrical safety of equipment. The total population of electrical assets is catalogued; a test plan developed based on the criticality of the asset, its usage, and any occupational health critical considerations included that must be addressed. The cycle of testing is determined, planned, performed and reported on. This paradigm can be usefully applied in a security context too.
2. Identify where security testing should be performed so as to ensure the best value for money. There is generally not an endless pit of money to spend, so best to test high risk/ high-value areas to the enterprise.
3. Holistically applying a security testing approach is critical. The reality is that IT may not always be the custodian of all IT systems and processes and the increasing presence of SAAS products and locally used business application and devices, including IoT devices, should be included in the approach.
4. With an ever-increasing utilisation of web-based applications for the delivery of systems and tools within an enterprise, web application penetration is critical as ever. Combined with a process to test the security of code during development, there is a strong return on the security testing investment as it is far more efficient to remediate earlier than later.
5. Security governance needs a focus of its own and we consider this to be critical to successfully conclude on how security is being managed. Included in the security and privacy governance assessment process are:
• Data and system classification
• Policy and governance
• Operational and technical security risks
• Impact of changing business conditions
• Compliance/regulatory/legal exposure
• Business continuity capabilities
• Executive management involvement
• Internal security
• Internet and website
• Wireless communications
• Physical security
Where to from hereThere is no silver bullet or panacea in dealing with the cyber security beast. However, there are ways to ensure that even small to medium-sized organisations are able to develop an approach to security testing that sits nicely with risk management techniques. I consider that the application of a risk-based approach ensures the maximising of testing and governance resources. The useful way to do this is to as a minimum consider these matters:
• Know and test those systems, devices and platforms where the greatest risk exists using a consistent risk approach;
• Sadly, security testing and the implementation of security products are not the panaceas. They make up a substantial component, but systems / cyber security needs to be viewed in a multi-dimensional manner;
• The strengthening of governance processes over security is critical and the absence of a robust approach could mean that a piecemeal approach is being adopted which is ultimately a sub-optimum approach; and
• If all the above are in place, well its worthwhile assessing and understanding what your critical business partners are doing regarding security, ensuring you are not leaving a side window open!
Michael Shatter is the National Director, Security and Privacy Risk Services at RSM Australia, having racked up over 25 years’ experience in the performance of information technology security reviews and assessment, and yet, still enjoying the opportunities to discuss these issues with management and their boards.