Creating an Effective Security Assurance Strategy
All organisations rely heavily on the use of information to conduct their business activities. Ensuring confidentiality, integrity, and authenticity is paramount to success. Unfortunately, as numerous recent headlines have shown, organisations are at significant risk of cybersecurity breaches. Even with the most comprehensive security strategies and technologies in place, breaches can still take place. The risk is further augmented within today’s IT environment where many businesses are interconnected by networks and systems. Every new piece of technology implemented brings with it a requirement to protect the information it holds.
Not only do companies have to protect against breaches, but they also need to ensure that the data they need to do business is always available to those who need it. Governance, risk and compliance standards have been put in place to protect organisations and their data, but organisations must demonstrate that they meet the necessary requirements. This is where security assurance comes into play.
What is Security Assurance?
Information security assurance encompasses much more than cybersecurity. Cybersecurity measures are predominantly focused on preventing cybercriminals or unauthorised users from entering an organisation’s systems. Security assurance, on the other hand, tests not only those cybersecurity measures but organisations’ people and processes too. By testing your defences to see where an attacker may find potential weaknesses and flaws in the strategies and controls you have in place, organisations can have a better understanding of where there are key risks that need to be mitigated.
There are five principal measures that are used to define information security assurance:
• Integrity – information should only be accessed by authorised users
• Availability – information should be readily accessible
• Authentication – measures to ensure that users are who they say there are
• Confidentiality – classifications and clearance levels to restrict access
• Nonrepudiation – proof of the origin of data and related actions
By implementing these measures, businesses can ensure their systems can protect sensitive information and that it is used appropriately. The term is closely linked with risk management. The process of implementing security assurance involves identifying information assets and the systems and applications that use them, estimating the susceptibility of those information assets, and quantifying the effect. Once procedures and controls are put in place to mitigate risk, information assurance then uses various assessment and auditing frameworks to understand their effectiveness.
Key Security Assurance Approaches
As the security landscape becomes ever more regulated, it is vital for organisations to be able to demonstrate their commitment to information assurance. Not adopting the necessary security assurance approaches can result in large regulatory sanctions and severe reputational repercussions, not to mention the added cybersecurity risk.
By adopting the mindset of adversaries, using leading detection technology, and understanding an organisation’s vulnerability, businesses are able to gain the maximum benefit from security assurance. There are three key security assurance approaches which can be implemented:
• Penetration testing – gaining security assurance by attempting to breach a system’s security using the same tools and techniques as cybercriminals.
• Adversary simulation services – simulating the methodologies of advanced threat actors to establish a baseline of real-world threats and impacts and to train personnel on how to respond in the event of an attack.
• Adversary protection services – proactively detecting misconfigurations and malicious profiles in order to build effective security awareness programs that meet with compliance guidelines.
Aligning Security Assurance to Business Strategy
To measure security effectiveness, it’s vital for a company’s security goals to be aligned with its business objectives. Security metrics need to make sense, and the only way to do that is by using the correct metrics and having reliable data to back them up. Business leaders value security but often don’t have the knowledge to quantify the risk based on security metrics alone. Business leaders need visibility and assurance that not only are security investments the rights ones but that efforts will support the overall goals of the business.
There is little point in practicing security assurance for security’s sake; it is vital that it is aligned with business goals. To understand what is important to the business, building relationships with key stakeholders and business unit leaders is paramount. The most important piece of the puzzle is communication; security professionals should aim to:
• Continually manoeuvre between technical requirements and business priorities
• Engage the board, the CEO and, ultimately, the C-suite
• Establish a governance committee that incorporates operational leaders from across the business
• Have two-way conversations with stakeholders
• Consistently speak with business colleagues to learn about customer needs
• Prioritise partnerships with business units
Security assurance will only be aligned with business strategy if security teams have done the hard work of developing personal relationships throughout the business. They should then continue to track and communicate security assurance efforts across the whole business.
If you would like to learn more about how you can create an effective security strategy and how InfoTrust can help, download our services datasheet or contact us today.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
We're Here To Help