Security is by necessity an intrinsic part of any business or organization. Aspects of security can be found in all layers and branches of an entity. Strategic goals, business processes, infrastructure, ... are all ideally conceived with a security strategy in mind and set up to be solid and defensible. Therefore, it is paramount that these efforts are coordinated to ensure a consistent approach with maximized added value. Integration of these efforts into the corporate culture and acceptance by all personnel ensures that this approach translates into a clear cybersecurity aware brand image to customers, suppliers and partners alike. Depending on the size of organizations, the complexity of such an overarching security strategy, and thus the amount of security management personnel involved, can vary greatly, but their goal is always to contribute to the consistency of company policy across all pertinent topics.
ZSuch a security strategy starts with choosing the right security architecture for your specific needs. De complexiteit van gangbare architecturen is over de jaren gestaag gestegen. Currently, for larger organizations, we see mostly Cybersecurity Mesh Architecture (CSMA v2.0 van Gartner), aimed at centralizing and unifying information flows in and out of the various branches of the security approach. The focus is on avoiding security silos to ensure a streamlined detect and respond process via a modular approach, which in turn connects nicely to the Assume Breach philosophy (it's not a matter of if, but when) of our time. This architecture also accommodates the hybrid cloud/on-premise or multi-cloud infrastructures that we are increasingly finding in companies and ensures a consistent, overarching approach with good cohesion between all components.
Building complex strategies involves many additional factors. They are based on a security policy endorsed by management, which must be known and understood by everyone who comes into touch with it. Each team has its own perspective and outlook and thus different needs in terms of direction and information. Security analysts struggling with alert fatigue because of 60% False Positive alerts cannot be motivated in the same way as a network security team overwhelmed with more requests than they can handle or a system administration team where there is conflict over protection vs. usability dilemmas. Added to that is a growing amalgam of national and international standards and regulations that must be met. Our European NIS2 directives that will apply to a much broader range of sectors than their predecessor, while leaving some leeway for now, threaten with fines of up to 2% of turnover for violations. In Belgium, Center for Cybersecurity Belgium (CCB) responsible for implementing these guidelines. They are already offering organizations and companies a self-assessment method (CYFUN - based on NIST CSF) to check to what extent you already comply.
Fortunately, we do not have to reinvent the wheel every time, and there are many frameworks and standards, recommendations and working frameworks that are propagated by various bodies. We think of NIST (US), ENISA (EU), MITRE Att&ck, CIS, ... that help ensure best practices around most security-related topics are known and delineated, we all speak the same language and thus can learn from each other across borders and identify where we should best focus our extra efforts and investments.
Security Management is also responsible for clear communication, and this in 2 directions. It is therefore important that there is deep understanding about all technologies, strategies, developments and standards under consideration and their intrinsic advantages and disadvantages, so that even to IT ignorant people in the management layer sufficient understanding can be imparted to enable them to make informed choices. At the same time, translation is needed that properly conveys the - often financially driven - management decisions to relevant teams so that they do not feel reduced to mere production elements and there can be room for everyone's personality within the corporate culture.
© g3rt