Security Management: The 5 Key Components To Effectively Secure Your Systems

In our interconnected and digital world, cyber security has become a critical investment. It is one of the fastest-growing industries in the world today, with the global cyber security market projecting to reach USD 281.74 billion by 2027.

Nowadays, with the advent of new technologies, the term security is not just limited to physical security. It includes things that are unseen but extremely valuable such as electronic data (e-data) which includes credit card details and government documents. On a regular basis, we hear about the catastrophic damage or loss that occurs due to security lapses or a lack of security.

For example, in September 2017, American multinational consumer credit reporting agency Equifax announced a data breach that exposed the personal information of 147 million people. Consequently, a highly publicised settlement totaling up to USD 700 million was reached. But more importantly, public sentiment toward the company fell drastically and is still on the rebound three years later.

Here are some other interesting figures:

• There is a hacker attack every 39 seconds
• The global average cost of a data breach is $3.9 million across SMBs
• Since COVID-19, the US FBI reported a 300% increase in reported cybercrimes
• Total cost for cybercrime committed globally has added up to over $1 trillion dollars in 2018
• Share prices fall 7.27% on average after a breach
• Most companies take nearly 6 months to detect a data breach, even major ones
• More than 77% of organizations do not have a Cyber Security Incident Response plan
• 95% of cybersecurity breaches are due to human error
• 43% of cyber attacks target small business

As you can see, the dangers are very real. Furthermore, new vulnerabilities and attack methodologies are emerging every day. Organisations that fail to keep pace with looming threats risk revenue loss, brand negativity, and losing consumer trust. Now more than ever, it is imperative for any business to have a safeguard in place.

In this article, we will explore the fundamental building blocks of security and the talent requirements to safeguard our data. We will also look at the required processes that organisations must follow to build a resilient and effective defence system.

Achieving Cyber Security: The CIA Triad

On the whole, cyber security is a very broad term but is based on three foundational concepts known as The CIA Triad. It is a venerable model for identifying problems and implementing solutions in the arena of cyber security. In short, the entire cyber security process is to ensure that any application achieves and maintains these states.

• Confidentiality: Information accessible to someone authorised to do so
• Integrity: Assuring that information and programs are changed only in a specified and authorised manner
• Availability: Assuring that authorised users have continued access to information and resources

The concepts relating to the people who use that information are:

Authentication: The action of proving or showing something to be valid. Example: If a user doesn’t have a valid username and password, the information must not be shown.

Authorisation: Permission to view/change something. Example: If a user is not granted permission to see financial files, he/she must not have access.

Nonrepudiation: The assurance that someone cannot deny something. Example: If a row in a table is deleted, we must have proof to show who deleted it and when.

For most organisations, the general mindset or approach when it comes to security is to use the latest tools and outsource tasks to vendors, thus mitigating security requirements and responsibilities. However, the whole is greater than the sum of its parts. Security is an operational, ongoing process that must be continued forever. Let’s understand why.

Security Is More Than Technology

The natural goal of security is tactical and operational. A best practice is to review where the business is going in two years, before assessing the operational and technical requirements for implementing security.

As technology is dynamic and evolving rapidly, cyber security requirements will also change along with it and require meticulous planning. Cloud computing, docker containers, and PaaS are just a few examples that have non-traditional security aspects.

Security Is Only As Good As Your Strategy

To succeed in the long run and ensure our data is secure all the time, a plan of action is necessary. We can implement a solid security strategy, which can be broken down into 4 steps below:

Plan: An organisation must have a security plan looking into its organisational requirements for the near future (such as two years). This plan must have the high-level goals an organisation wants to achieve.

Program: A security program is a set of tasks that an organisation is going to perform in order to accomplish its plan.

Projects: The program can consist of a series of projects. The security project can be viewed as a subset of the program which can be sequential or parallel depending on natural and organisational needs.

Tasks: Each project has a series of tasks to reach a certain goal.

Find The Right People

When it comes to overseeing the company at large, a quality security manager can have a major impact on culture and policy. Generally, an effective security manager should possess strong organisational, analytical, and problem-solving skills.

Highly developed written and verbal communication skills are also essential, as security managers must be able to convey policies and plans to staff and employees. In addition to these general skills, a Security Manager must possess strong core skills, including:

• Integrating safety and security policies with business operations
• Evaluating safety and security plans for effectiveness
• Building and managing emergency response teams
• Conducting risk audits and assessments
• Overseeing security investigations

Once we have identified the best person for this role, the security manager must then develop a plan consisting of 4 significant components:

Security Budget: Money assigned for security work within the organisation.

Team: Security is not going to be performed by one single individual. A security team needs different skills like a technical expert, manager, everyday operation task, reports, etc.

Metrics: This is where management gets to see their ROI. This also quantifies the task done by the security team. Metrics also serve as road maps to the security team to work in a certain direction if something is missing. This artifact assures management their budget is not going into a black hole.

Reporting: Reporting is really hard for a security person. The security manager must be able to articulate business ramifications concisely to the C-suite. The security manager must be able to sell the value added by the security team to the organisation.

All in all, in order to gain management support, the ultimate goal of a security program must be:

1. To justify the expense
2. To maintain that support
3. To demonstrate value
4. To ensure compliance with regulation & business goal

Security Roles & Responsibilities

Security is everyone’s responsibility and must be handled with due care and diligence.

Due Care: The care or precautions a reasonable, prudent person would take to protect others from unreasonable harm

• Protect customer data

Due Diligence: The on-going exercise of due care.

Security must be accepted as a part of the culture of the organisation. As we all know, a chain is only as strong as its weakest link. Most of the time, 85% to be exact, the weakest links can be associated with human error or neglect. We must invest to make sure that everyone takes security as their own responsibility.

It is important to establish who is responsible for executing each part of the security plan before engaging in it. It ensures accountability and assigns an owner to maintain and follow the plan. Some key personnel and their respective duties include:

Information Owner: The person responsible for the protection of information

• Must be a senior manager
• Responsible to ensure that information is protected at all the times during the information lifecycle
• Mandates protective measure that must be undertaken by the system owner

Local Management: Responsible to ensure that their staff follows policy & procedures

• Provide training to staff on security policies
• Enforcement of regulation within the department
• Continuous monitoring

Administrator: Trusted personnel with privileged access. They need to be monitored and trained.

Developers:

• Write and maintain secure code
• Test business & security functionality
• Create a documents system

Auditor: Serve as the eyes and ears of management. Provide assurance to management on the effectiveness & appropriateness of controls.

• Must be Independent, skilled and objective

Users:

• Follow procedures
• Comply with policy
• Report on incidents

Don’t Forget To Abide By The Laws

Lastly, it goes without saying that all organisations need to abide by the law based on their geographical location. For multinationals, they can have a few common practices but each location demands something different to fulfill local security-related laws.

It is the security manager’s responsibility to ensure that the organisation’s security program adheres to and complies with relevant laws, regulations, and statutes to avoid unlawful investigations or security actions.

For instance:

1. Federal laws:

• Data stored in the cloud needs to be kept within the country
• Data backups must be kept within the country
• Citizens’ data must not be shared outside the country

2. Regional laws:

• GDPR: The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas

3. Local and state laws:

• Varies a lot from location to location

Conclusion

In summary, there is no silver bullet when it comes to implementing security management. However, it is an unavoidable journey that every organisation has to take especially in our increasingly volatile tech-driven landscape. As we’ve seen, it is a complex and enduring undertaking with several milestones. But by following crucial guidelines while promoting a culture of collaboration among individuals in the process, we can achieve a much safer cyber world one key step at a time.