Aligning IT security strategy and governance. Takeaways from the Beltug N-sight: 30 January 2020


New year, familiar problem: security! IT security risks constantly evolve and grow, so our defences must as well. Digitisation, with cloud as well as new technologies such as AI and IoT, has cemented security’s place as a vital layer in the organisation's infrastructure, and in the development of every application.


Creating, implementing, testing and aligning the IT security strategy is thus an issue that is spreading out and up, to every level of the company. During this session we heard about how to optimise resources for cyber resilience from Deloitte, how to validate security solutions from Davinsi Labs, and what new security challenges are raising their heads in the Domain Name System world. We wrapped up with a new tool from Beltug that can help you inform the company’s Board about information security risks, in order to align governance.


The presentations from the N-sight are available for our members (after login). 


A strategic approach to managing cyber risk: business-driven and threat-based


Daria Bogush, Senior Cyber Security Consultant at Deloitte, took us back 10 years, to a time when business saw security as the exclusive domain of the IT department. Over time, this attitude shifted from the bottom-up, as we moved from the era of compliance, to risk, to complexity. But in any case, IT needs to enable the business, wherever it goes. And security can’t be a stumbling block anymore.


As complexity creates new challenges (slide 4), it is important to define priorities and strategies, and to understand the scope in order to ensure nothing is overlooked.


Valuing cyber risks is a combination of cyber resilience and business value, Daria emphasised.


It may be easy to identify who you are, but it’s not so easy to pinpoint where you want to be.  You define your cyber threat profile so that you can determine the capabilities you need.  But capabilities only matter once you have defined what a 'good' result looks like.


Daria recapped:

  • Identify what you need to protect - what are your 'crown jewels'.
  • What are the threats you face?
  • How do you measure your level of protection?
  • And are the controls you have, on the level you want to be?

(slide 9)


Daria wrapped up with a case study, diving in detail in every aspect of the security strategy journey (slides 11-15).


Continuous security validation


Reaching your maturity level isn’t the end of the journey; you need continuous validation and monitoring, explained Koen Bossaert, Solutions Lead at Davinsi Labs (a Proximus-owned Security Information & Event Management company). That includes making sure your defences work - always, everywhere, effectively, verifiably and end-to-end.


For that continuous validation, attack simulation is a key element (slide 5). It offers value and use cases at different levels:



  • Prove effectiveness of security controls
  • Report real value of investments

Security Analyst:

  • Regular testing of SIEM use cases
  • Close gaps in defences
  • Practice with real attack techniques

'Red Teamer':

  • Scale efforts
  • Win on repeatability and reproducibility


Case: DNS, the overlooked attack vector?


Kristof Tuyteleers, Security Officer at DNS Belgium, opened by explaining how the threat landscape is continuously changing: DDOS stressers/booters, IoT devices, automated phishing kits, cloud services/domain fronting, MaaS (Malware-as-a-Service), ransomware, etc.


You need to know your enemies, and then you need to pick your fights, advised Kristof. Crypto jacking for instance has almost disappeared from the list of common threats. On the other hand, verify if there is any low hanging fruit in your infrastructure that you can optimise: your DNS server for instance.  DNS is an often-overlooked attack vector (slide 15). There are several aspects of DNS that are misused (slide 21).  Or a txt record can be built into your URL, guiding people to ‘nasty’ websites.


Make sure you implement the correct DNS(SEC) tools when securing your email environment:


  • SPF (Sender Policy Framework) -explicitly authorises which servers are allowed to send email for a domain
  • DKIM (Domain Keys Identified Mail) -digitally signs an email with a signature that receiving mail servers can verify
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) - allows you to communicate message-handling & reporting policies to servers
  • DANE (DNS-Based Authentication of Named Entities) - enforces authenticated (encrypted) connections between SMTP servers and prevents STARTTLS downgrade attacks.


'Anycast DNS' is one of the defences put up by DNS for DDOS attacks: typically, any device or server that connects directly to the internet will have a unique IP address. Communication between network-connected devices is 1-to-1; each communication goes from one specific device to the targeted device on the other end of the communication. Anycast networks, on the contrary, allow multiple servers on the network to use the same IP address, or same set of IP addresses. Communication with an anycast network is 1-to-many.


"Don't put all your eggs in one basket!", Kristof emphasised: if you outsource to a DNS provider, make sure to work with at least two of them (slides 31 and 32). Don’t forget to protect against human errors and ignorance when protecting your DNS traffic: for instance, if you abandon a domain name, the new registrant can see all the email traffic.  So foresee a quarantine period.


Even in an encrypted world, an organisation's 'crown jewels' are accessible to cyber criminals: through DNS hijacking for instance (slides 37-40).  Prevent this with:


  • Two-factor authentication at registrar
  • Registry lock
  • Monitoring of DNS records / changes + CT logs
  • Certificate Authority Authorisation (CAA)


DNS hijacking via IoT devices is also popular among hackers. And even over https (the secure DNS connection - DoH), hackers come up with creative ways to invade your IT environment (slide 48).


Kristof's main message: outsmart the hackers with:

  • Awareness
  • Security hygiene, including strong passwords, 2-factor authentication, updated devices and software, …
  • Monitoring
  • Technical improvements
  • Sharing knowledge & experiences.


And make sure to have Domain Management Monitoring on your radar: monitor for domain transfers, WHOIS data changes, and nameserver changes.  Monitor for changes to records related to critical services e.g. MX (mail delivery) records.


Aligning Board and IT security


The final insights of the day came from Claude Rapoport, our Beltug president, focusing his vast expertise on how to align the board and IT security.


It is obvious that often the CIO and the CISO understand better than the Board members how the company actually operates.  At the same time, conversations between the CIO/CISO and the Board are vital to build a solid IT Security strategy.


But is the Board really concerned about information security?  For years, the answer has been 'no'. In this era of digitisation, this has shifted to a clear 'yes'.  The Board is after all in control and accountable for

  • risks
  • governance
  • finance
  • image.


Claude described what a business risk assessment can look like, including the impact and frequency of risks (slide 8). He also provided a ‘Board-friendly’ messaging: 'Security is CIA (Confidentiality, Integrity, Availability)'.  Apply this to the high and very high risks in your risk assessment and you'll certainly get their attention. 


So what’s your question for the Board? ‘Do you want to accept this level of risk or do you consider action is required?’ (slide 9-11)


Privacy and GDPR should also have its place in this conversation with the Board (slide 12). The GDPR has put privacy on the agenda of many companies – you need to explain to your Board what the consequences are, for instance regarding the obligation to notify data breaches.  One valid point for your Board is then the question of who takes the responsibility to report to the Data Protection Authority (DPA), and when is a data breach serious enough to report?  Be prepared for that question.


A final example of the 'Confidentiality' part is your organisation's information security policy. This should be a short, logical, easy-to-read document, that must be read and signed by all employees and suppliers.


Moving on to the ‘Integrity’ element, prepare an Incident Response Plan, with your key elements for crisis communication in case of a breach or incident.  The Board can ask for a simulation of this crisis communication. 


On the 'Availability' element, the Board might want to see the availability indicators systematically.


Your dialogue of course needs a chapter on budget and projects (slide 22).


Claude wrapped up with 3 main questions the Board may want to consider:

  • Does our company make a yearly risk assessment?
  • Is a specific person responsible for all cybersecurity in the company? Does this person report yearly to the Board?
  • Which important risk mitigations are not taken because of budget restrictions?


The first time you give this presentation, will be the most difficult.  But year on year, your messages will be more familiar to the Board.  Claude's recommendations will be published on the Beltug website soon, available for all members to use when preparing for a conversation with their Board.


If you have further improvements suggestions or additions for this document, feel free to let us know!
















Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview