Shivakumar Ramachandran MBCS CISSP explores the cultural, procedural and technical steps organisations need to take in order to ensure security isn’t left behind as an organisation transforms.

Increasingly, business leaders are working closely with IT leaders to transform and accelerate business processes, to grow competencies and to develop models in a strategic and prioritised way.

Digital means different things for different departments like marketing, operations, HR, and IT. It is the leadership’s responsibility to create an awareness and understanding of transformation. Leadership must unite the senior team behind transformation as a common purpose. It is all about asking the right questions such: 

  • How can digital technologies disrupt the company’s competitive advantage?
  • How can these digital technologies help improve the performance of existing processes?
  • How can an organisation create a better experience to the customers?
  • Through transformation, what are the new possibilities that can be enabled today and in future?

There is however something critical missing from this list of strategic questions: ‘What about data security?’ Have you - or your leadership - thought about it? Have you modelled threats, analysed risk and fully understood what will happen to your business if risk becomes reality?

An organisation’s most valuable asset is data. As such, it is leadership’s responsibility to protect it. To achieve this, there is a starting point: mobilising the right internal teams. A security team, for example, will be able to help leadership to understand the potential impact of data being lost or stolen. It goes without saying though: Leadership is responsible for anything and everything within the organisation - including security. This means senior management should understand and support any security drives. This top down approach has another advantage too. When a drive is instigated from the top, it is much easier to create a culture of awareness where ‘security is everyone’s responsibility’.

Security is a serious business

Digitally collaborative systems need a very effective and well embedded security culture - a culture that focuses on people and process. Collaborative systems also require technology deployment is governed by organisational policies.

A strong and talented security team alone cannot protect an organisation from today’s cyber risk though. Traditionally, the security domain has always been considered more of a technology focused specialism. It might encompass solutions such as: system hardening, firewall protection, anti-virus, anti-malware and data loss prevention systems. The security checklist goes on.

Risk management and assessment  

Risk modelling and assessment needs to extend beyond technology. People and processes need to be assessed too. Protecting confidentiality, integrity and availability (CIA) are certainly necessary but they’re not enough.

Rather, the security domain should be viewed as a business capability rather than just as a supporting function. The Sherwood Applied Business Security Architecture (SABSA) is a framework for developing risk-driven enterprise information security and assurance architectures.

It defines attributes such as reputation, operational efficiency, business continuity and brand perception. These attributes, and others, need to be protected through security controls - controls that enable the organisations to successfully realise its overall corporate objectives.

Security architecture should focus on:

  • Building capabilities that identify threats
  • Detect anomalies
  • Protect the interests of the organisation
  • Responding, in an efficient manner, to incidents
  • Recovering a service so that its compromise minimises the organisational damage.

This approach is only possible when a security function understands the business objective it is supporting. It also needs to understand inherent risks.

The SABSA framework can play a definitive role in enabling, enhancing and embedding this security journey. At a high level, SABSA recommends a 6-step process. These focus on identifying the security controls that are essential to protect the interests of the organisations. This list includes:

  • Identify the business objectives
  • Translating business objectives into security attributes
  • Performing threat analysis
  • Measuring threat risk through qualitative or quantitative methods
  • Defining control objectives to mitigate identified threats (to an acceptable level)
  • Identify the security services necessary to provide the required security controls

When security architecture is driven by business requirements and objectives - rather than technical requirements - the organisations benefit. 

The power of SETA

It is very important that all stakeholders - including C-Level execs - understand and action the principle: security is everyone’s responsibility. Security should not be an afterthought. Rather it should be baked into every phase of a project.

How can this be achieved? In a transformation project, it can be achieved by asking and answering one key question: ‘What is the risk?’ This question needs to asked, answered and agreed upon by may different people including: executive members, the architecture community, business stakeholders, delivery partner, developers and even a technology service provider.

Security Education, Training and Awareness (SETA) programs are useful tools that fundamentally introduces behavioural changes within the organisation. An effective SETA program ensures a strong security culture. It introduces the concept of security thinking by asking three questions: Why (education); how (training); and what (awareness).

DevOps, as an example, has been widely regarded as an efficient and agile approach to delivering capabilities. Fundamentally it defines the way people, process and technology should be integrate with the aim of delivering value.

This contrasts with DevSecOps - a combination of DevOps and security. Here, the security team must clearly state and document what is expected from an application. The development teams implement the controls that have been tested by the security security team and addresses any vulnerabilities identified in the AppSec Pipeline.

The IT operations teams write the code or templates that build the infrastructure. They are also responsible for setting up the DevOps and AppSec pipelines and ensuring the corresponding tools are properly installed. Security must be hardened to prevent any hacks and data breaches.

The goal is achieved by developing necessary security skills and knowledge so that users performing different role understand the security implication of every action and its corresponding impact to digital systems, most importantly building the awareness of the need to protect system resources.

Security is achieved through helping people in different roles to develop skills and knowledge. They need to understand and appreciate that actions have implications, and these have corresponding impacts on digital systems. Most importantly the goal is to build awareness of the need to protect systems resources.  

3M to sustain all the good work

Visualization is an important element of identifying, sharing and evolving security information, as it passes through an operation. The 3M’s (monitor, measure and maintain) are very useful in building a conceptual model. In details they discuss:

  • Monitor - during the initial stages of the project key attributes need to be identified from a security stand point of view. As time passes and the transformation journey moves forward, these attributes need to be watched closely
  • Measure - An agreed baseline needs to created
  • Maintain - Keeping a tab on activities such as lessons learned, knowledge sharing sessions, Root cause analysis, feedback sessions

What security cannot protect

Robert Mueller, Former FBI Director said: ‘There are only two types of companies: those that have been hacked, and those that will be.’ It is very evident that digital transformation is breaking the boundaries and upending business models. Brands are always on and omni present, teams collaborate in new ways and data is generated and stored at huge rates.

The threat landscapes is changing with equal speed and ferocity. Antivirus and firewalls are no longer considered enough. Cyber threats too are evolving - from hacking to social engineering attacks, APT’s (Advance persistent threats) to AI instigated attacks and beyond.

Organisations must transform cyber strategy, moving to a more proactive strategic approach and away from traditional methods. Increasing regulatory scrutiny is demanding a new, business aligned security capability for managing information risks.

Ultimately, security is about understanding risk and cost effectively mitigating it to an acceptable level. We cannot prevent all the compromises.

Shivakumar Ramachandran MBCS, CISSP, TOGAF is a Principle Consultant with a leading Digital Consulting Organisation and possessing wealth of experience working on Strategy and Architecture engagements, as an Enterprise Architect and as an Enterprise Security Architect