Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks
During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about control frameworks and standards by our clients. Such topics often center on which of these frameworks and standards are most appropriate for a particular organization, which specific controls are most important, and in what order and to what depth an organization should pursue maturity with a particular set of controls. In this two-part blog series, I’d like to share some field observations on this topic gathered by Optiv’s strategy, risk and compliance teams.
When your security team constantly puts out fires and incidents seem to be never-ending, it is a sure sign of an ad-hoc security program that responds to issues rather than attacking root cause. Without fail, clients in this position have no effective method in place (perhaps outside of personal heroics) of tracking the state of the program and which controls are in place. Instead, organizations should focus on putting the right program elements in place to begin proactively managing the security posture of the business.
Keeping track of the security program is essential for an organization to escape the daily fire-fighting method of security management. Control frameworks are an essential and effective way to accomplish this. One interesting paradigm here is the improvement in security programs that we’ve seen occur when clients begin to face more arduous compliance requirements due to growth. A great example is the improvement in information security posture when an organization moves from a PCI level 2 merchant to a PCI level 1 merchant. On the surface it would seem that the existence of an external QSA holding the organization accountable would be the cause of this improvement, but perhaps a more subtle paradigm is in play: The organization now has a list of controls and a checklist to follow in managing their program. We’ve seen many programs run by leveraging PCI as the control framework of choice, even though it’s not even a control framework, rather an industry standard.
Having something to measure against is key to making decisions on what to do next with an information security program. There are many great control frameworks available for this purpose such as ISO 27001/27002, NIST SP800, NIST CSF, CIS Top20, COBIT, ITIL, PCI-DSS, and the list goes on and on. Each of these frameworks is well designed, expertly constructed and thoughtfully organized.
The downside to the above-mentioned frameworks is that we in the information security industry have adopted the notion over the decades that we have to “put a check in every box.” This is where it all goes sideways for us. Organizations simply do not have the money, information security or IT resources to put a check in every box. The business stakeholders and end users don’t have tolerance for the restrictive security that checking every box entails.
Take ISO 27002, for instance. This framework contains 114 controls very well organized into 14 chapters. NIST 800-35 can have up to 170 controls. These controls taken individually all appear to be reasonable and practical, but taken in totality they represent a challenge to implement at a moderate degree of maturity, let alone a high degree of well monitored and continuously improving maturity.
The truth of our industry is that 100 percent maturity in 100 percent of the controls in any of these frameworks is not only impossible, it’s impractical and unnecessary. We’ve spent years in our industry trying to pursue such an objective, and we have little to show for it if metrics such as breach frequency, breach cost and threat emergence are any indication. As an example, look at healthcare. HIPAA was passed in 1996, HITECH in 2009. Did healthcare breaches decrease in frequency or cost? Quite the contrary. Why is this the case especially given the specificity with which some of these control frameworks provide guidance on what to do to protect information and what can we do to leverage the frameworks most effectively?
On the other end of the spectrum from the “fire-of-the-day” security program are those programs connected to the operation of the business in a meaningful and effective way. We generally run into these types of security programs as a result of regular strategy tune-ups and recurring risk assessments. These are programs which have a plan, adjust the plan regularly, and have a genuine pulse for where they have maturity and where they don’t. What’s striking about such programs is that where we find areas of immaturity, it’s usually intentional. This is a departure from the concept of “a check in every box,” and it requires a level of acumen in business and technology in order to succeed. We call these “business-aligned programs,” and they are rare and fantastically effective when done properly. They also have figured out how to effectively leverage control frameworks to facilitate this alignment.
In summary, frameworks and standards are necessary as long as the ultimate goal is business alignment and not putting checks in boxes for the sake of it. In the second part of this blog series I will discuss the “how” of driving toward a business-aligned security program where frameworks fit into this process.
Let us know what you need, and we will have an Optiv professional contact you shortly.