Exec Summary - Enterprise Security Architecture Approach
CISO’s have a challenge in gaining situational awareness of where their enterprise truly sits in the context of the cyber risk. CISO’s need to ensure that adequate and proportionate security controls exist to provide the assurance to the business around the confidentiality, integrity and availability of critical business information assets. A lack of context against threat profiles and attack methods can lead to an inability to effectively manage and prioritise proportional security remediation.
Furthermore, with the global threat landscape continuing to rapidly evolve and a business driven cloud operating model introducing new and poorly understood risks, CISO’s need to adopt an agile and effective method to gain timely visibility and context. They need to identify foundational capability gaps, proportional risk treatments and security investments. Enterprise Risk and Security design methods need to evolve to address the speed of the emerging threat and attack landscape.
CISO’s must also be able to provide ongoing reporting of operational assurance and metrics to key stakeholders, customers and regulators, and ensure that information security is a primary business concern.
In this context and in order to effectively mitigate the impact of both conventional and emerging threats, Security Innovation Europe advocates a business aligned and risk driven framework:
- Develop a contextual Organisational Threat & Attack Model
- Develop & untilise an Enterprise Risk Assessment Security Architecture
- Develop a business aligned risk and capability based Enterprise Security Architecture strategy and roadmap
- Baseline foundational secuirty capability against recognised and agreed industry standards
- Focus on those systems where the business impact will be most severe and look to leverage a marginal gains approach
- Identify areas where strategic security investment is required to provide adequate foundational controls and capabilities in line with the risk appetite
Our 5 critical tenets for an effective cyber security defense as outlined by NIST
- Offense informs defence: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defences. Include only those controls that can be shown to stop known real-world attacks
- Prioritisation: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organisation so that required adjustments can be identified and implemented quickly
- Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps
- Automation: Automate defences so that organisations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics
Building the Security Strategy
InfoSec Strategy should evolve to be driven top down by the business strategy, business risk appetite and drivers such as capability, policy and standards gaps.
To be effective the strategy is influenced by bottom up contextual metrics relating to the efficacy and implementation and optimisation of foundational critical security controls.
Become Data driven
Baseline and Gap Analysis of InfoSec Capability provide a 3 dimension perspective
Determine & Monitor Enterprise Risk Appetite
Determine & Monitor Control Gaps
Determine Good Practices & Standards to use
Use clear and practical statements to describe the complete spectrum of security arrangements that should be considered to manage risks to information within acceptable limits. Controls may include:
- 10 Steps to Cyber Security (UK Government)
- Top 20 Critical Security Controls (SANS/CIS Institute)
- Payment Card Industry Data Security Standard (PCI DSS) 3.2
- Strategies to Mitigate Targeted Cyber Intrusions (Australian Government Defence Signals Directorate)
- PAS 555: 2013 Cyber security risk – Governance and management – Specification (British Standards Institution)
- US National Institute for Standards and Technology (NIST): Cyber security Framework
Using a Baseline Tool
A Baseline Tool provides a quantitative & repeatable assessment and enables easy comparison to recognised frameworks such as CIS Top 20, PCI DSS, DPA & GDPR, ISO 27002 and COBIT frameworks.
Information Security Maturity Rating
An Information Security Maturity Model (ISMM) provides high-level direction to help an organisation plan the progression of the information security function towards a desired future state. However, externally completed assessments tend to be an expensive, point in time, and throwaway exercise. It is critical the Enterprise integrates this dimension of architecture when considering longer term strategic priorities.
Projects and activities that require commitment for several years can be difficult to justify in a wider business context, and so may not be approved, may be cancelled prior to completion or may be unable to demonstrate measurable benefits as the organisation changes.
Making use of an ISMM allows multi-year projects to be approached in a structured manner and with a common goal.
A core objective of ISMMs is to further improve overall information security. This means that rather than merely investing in more advanced security controls, the use of a maturity model will drive focus on controls that are simply better suited to address a particular threat or vulnerability.
Where are we? Where should we be?
Baseline Results: A Security Architect Analysis
A known baseline measured against an agreed reference provides the ability to drill down and map the strength of existing controls back to a capability based security architecture. The data collected allows detailed analysis and risk modelling to ascertain where control deficiencies and critical risks exist so driving the strategy.
Detail around each security domain is needed in order to make effective improvements with the aim of measurable risk reduction.
Used in conjunction with an architectural approach, areas identified for improvement contribute to moving towards a target architecture, align with identified business risks and stay within the risk appetite for the enterprise.
Enterprise Security Architect deliverables
- Reference Architecture & Strategy
- Visibility of critical information assets the most critical impact on the business with associated Information Risks, Threats and attack vectors
- The output from the review and baseline of capability will be a set of prioritised recommendations outlined in a security architecture blueprint, road map and strategy typically covering a rolling three years period
- This road map and strategy should be broken down into a number of projects that are prioritised to address reduce risk and maximise the benefit of expenditure
- Periodic reviews using the initial methodology will be completed throughout the programme in order to measure the progress and on-going effectiveness of the programme and alignment to the target architecture
- Critical to the success of the roadmap will be gaining acceptance across the Senior IT Leadership team and supporting partners, whose input will be central to any program