Please tell me This is not Y2K again!

The best way if translating this is to consider the following steps:

1. Develop a security testing plan that gives consideration as to what has or has not been security tested. A useful way to explain this is to liken it to how safety testing is often carried out in a manufacturing environment for the electrical safety of equipment. The total population of electrical assets is catalogued; a test plan developed based on the criticality of the asset, its usage, and any occupational health critical considerations included that must be addressed. The cycle of testing is determined, planned, performed and reported on. This paradigm can be usefully applied in a security context too.

2. Identify where security testing should be performed so as to ensure the best value for money. There is generally not an endless pit of money to spend, so best to test high risk/ high-value areas to the enterprise.

3. Holistically applying a security testing approach is critical. The reality is that IT may not always be the custodian of all IT systems and processes and the increasing presence of SAAS products and locally used business application and devices, including IoT devices, should be included in the approach.

4. With an ever-increasing utilisation of web-based applications for the delivery of systems and tools within an enterprise, web application penetration is critical as ever. Combined with a process to test the security of code during development, there is a strong return on the security testing investment as it is far more efficient to remediate earlier than later.

5. Security governance needs a focus of its own and we consider this to be critical to successfully conclude on how security is being managed. Included in the security and privacy governance assessment process are:

• Data and system classification

• Policy and governance

• Operational and technical security risks

• Impact of changing business conditions

• Compliance/regulatory/legal exposure

• Business continuity capabilities

• Executive management involvement

• Internal security

• Internet and website

• Wireless communications

• Physical security

Where to from here

There is no silver bullet or panacea in dealing with the cyber security beast. However, there are ways to ensure that even small to medium-sized organisations are able to develop an approach to security testing that sits nicely with risk management techniques. I consider that the application of a risk-based approach ensures the maximising of testing and governance resources. The useful way to do this is to as a minimum consider these matters:

• Know and test those systems, devices and platforms where the greatest risk exists using a consistent risk approach;

• Sadly, security testing and the implementation of security products are not the panaceas. They make up a substantial component, but systems / cyber security needs to be viewed in a multi-dimensional manner;

• The strengthening of governance processes over security is critical and the absence of a robust approach could mean that a piecemeal approach is being adopted which is ultimately a sub-optimum approach; and

• If all the above are in place, well its worthwhile assessing and understanding what your critical business partners are doing regarding security, ensuring you are not leaving a side window open!

Michael Shatter is the National Director, Security and Privacy Risk Services at RSM Australia, having racked up over 25 years’ experience in the performance of information technology security reviews and assessment, and yet, still enjoying the opportunities to discuss these issues with management and their boards.