What areas do CISOs see as their biggest priorities when it comes to enterprise security? Chief Information Security Officers may not have a consultant telling them they need to better secure their environment, but in many cases they are themselves the ones who determine what needs to be done. CISOs face challenges on many fronts when it comes to making necessary strategies to secure the organizations.
According to the Global Security Survey Report 2014, other than fighting for budget, one of the most critical issues they encounter is the lack of awareness and insufficient education about the importance of security as a priority, among the employees. Educating the new employees while spreading awareness about the latest security concerns among the existing employees should be the priority item for any CISO on their strategy list and security program. Regardless of their challenges, the following is a list of four key areas that today’s CISOs must address in order to protect against threats and ensure the security of the information they are authorized to protect.
1. Authentication
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. This facet is all about certifying that the person logging into a system is who they say they are. There could be different roles and levels of access and CISOs should be well equipped with providing more than one form of authentication. This can be something they know such as a password with something they have, such as a security token which constantly generates a new random PIN. A biometric device which is akin to a fingerprint scanner is another option. By adding a second factor such as a randomly generated PIN or fingerprint, the system becomes much harder to infiltrate.
2. Authorization
The purpose of authorization is about the restrictions placed around what a user is allowed to do once he is authenticated. With a certain level of access, a user is allowed to access certain applications and tools based on his or her role and the level of access given. For example, a user in the role of finance accounts payable will have authorization and access to certain financial applications or files while a user in the role of sales specialist would not , and vice versa.
3. Administration
The process of setting up the tasks of authentication and authorization is a managerial task set up by the administrator. This includes setting up someone’s credentials in the system so the individual’s information can be authenticated when logging in. There are different parameters to keep in mind while setting up the credentials determining what sort of role a person holds in the system. Take yourself for example. When you moved into your current role, someone had to enter that information into the system, and then list what applications you could access and so on.
The objective of administration is to implement processes that enable individuals to efficiently and securely complete tasks. The role of an administrator is a challenging one as he is required to give different access settings to different people; and when the organization is a huge one with thousands of people, the task becomes even more challenging. While the administrator may have an understanding of the role, exceptions to the rule exist. For example, special projects often change the level of access since people need to complete tasks that are usually outside their scope of responsibilities. The administration involved in maintaining the parameters for authentication and authorization can become very complex. From a security standpoint, this can become a problem, especially when employees leave the organization and need to ensure that they can no longer access the network.
4. Audit
The word “audit” generally brings about a negative connotation, but here in this context, this is about verifying that all the work you have done in the other three areas is working as designed. Business managers need to recertify that the list of people with access to the data and applications they are responsible for is still accurate. Again, with employee departures and changing roles, this is an ongoing process. The audit is also useful for finding any anomalies and fixing them. While having a mistake found during a compliance audit and being fined sounds terrible, a much worse scenario would involve disgruntled employee or hacker exploiting the breach.
As we can see, today security is one of the major concerns for organizations and because of its criticality, CISOs carry a tremendous load on their shoulders. Security simply needs to be maintained whether CISOs have sufficient staffing, budget or tools in place or not. The actions they take may very well save your organization from being the next security breach headline, which in turn results in a loss of customers, loss of income and job cuts. Their actions may very well have already thwarted such a breach!
