All too often, companies can end up ‘running behind the facts’ in the IT security arena. You need a solid security strategy to stay ahead, while governance is critical to stay in control.
We had a look at how to put this into practice. SoftwareONE started us off with the COBIT framework for IT governance. Then we learned about cyber security in a homeworking world, from Insight. We wrapped up with a short update on the new Beltug Security task force: what are they be working on?
The presentations and recording from the event are available for Beltug members (after login).
The importance of governance
"It takes years to build a reputation and just a few minutes to ruin it”, started Danny Uytgeerts, Strategy Lead at SoftwareONE. Even today, Danny observes, many companies lack awareness and engagement on IT security from management. To the extent that the CIO and CISO might almost hope for a breach, so they have the momentum to increase awareness.
The word 'govern' comes from the ancient Greek word for steering a ship… And the similarities between steering a ship and governing IT are numerous: it is imperative you watch where you are going, and you need to keep a careful eye on the direction you move/steer towards. That is precisely the intention: you steer, you monitor, you review, you adapt, you adopt. The ultimate goal of governance is to effectively fulfil the organisation's goals.
It’s important for your strategy that you define business goals and objectives. Business goals establish where you intend to go and when you get there. Objectives specify what you must do and when, in order to achieve the goals. Your strategy defines the way to achieve both goals and objectives. Governance then checks the goals and objectives, and keeps an eye on the resources used.
Danny explained the full picture from goals and objectives through to outcome (see slide 6, minute 00:15:00 in the recording).
Your 'security programme' is the outcome:
Whatever strategy or governance model is chosen, the company culture remains an important element. "Culture eats strategy for breakfast", Danny reminded us. You must understand the enterprise culture and the human factor. It's important for the CIO and CISO to work with HR and legal to address issues like e.g., people leaving the organisation. And to work on user awareness and appropriate trainings.
When thinking about how to establish good governance, there are a lot of frameworks, controls and tools: it can be overwhelming.
COBIT 2019 can be a helpful umbrella framework for EGIT (Enterprise Governance of IT) (see slide 9). Danny feels the framework offers the necessary flexibility, that can address the unique needs of an organisation.
Danny also gave an overview of COBIT 19 (see slides 10-12).
Wrapping up, Danny emphasised it's all about
Protect your users against cyber threats
Next up was Erik Westhovens, cyber security investigator and security solutions architect at Insight. Breaches are numerous nowadays… you hear and read about it in the media all the time, it seems. This might make you conclude that everyone around you can be 'the enemy' and steal your data.
Erik stresses: if you don't need the data you have, delete it! “Trust comes on foot, and leaves in a Ferrari.” So make sure to build that trust thoroughly.
End-users are an important element, especially today when they are working from home. So keep aware constantly of what is going on: ransomware, doxware, software failure, human errors, etc. Did you know that it takes 56 days (on average) between the infiltration of a cybercriminal and the actual ransomware attack? After that, your company data is encrypted and your organisation is in trouble (see slide 2).
Erik zoomed in on the Advanced Persistent Threat (APT) lifecycle model that takes us through the entire journey of a cybercriminal:
(see slide 3)
Just over a year ago, employees were properly protected by firewalls. But after March 2020, they were working from home, through their standard routers. And while the company device is still protected by the company’s security, the home PC and the gaming consoles are not. A cybercriminal strengthens his foothold by entering via these devices, then jumping to your company device, and finally accessing your company data.
The hacker goes for your money: not only encrypting your data (for ransom), but also copy your data and putting it 'for sale' on the dark net.
Erik elaborated further on how the modern threat kill chain is evolving (minute 00:58:10 in the recording).
So how to solve the problem? Erik pointed out that the solutions we choose, are often directed. The marketplace is overwhelming and confusing, with high vendor evaluation costs and high integration costs. On top of that, the hybrid cloud is breaking the existing models. Furthermore, the security solutions purchased are very often underutilised. It is challenging to close the gaps between solutions.
Erik demonstrates how a layered detection model and protection can be the answer (see slide 6).
There are four areas that really need your focus:
“Identity is the most important security parameter”, Erik stressed: you can take whatever security measures, but if you forget about identity, you will never be secure enough. It's like installing a safe and leaving the key in the lock.
Beltug Security Task Force - a quick update
At the end of the session, Levi Nietvelt, Business Manager at Beltug, shared a quick update on a new Beltug initiative: the Security Task Force.
This is a platform for security experts to exchange experiences, best practices, issues and challenges. When relevant, information flows back to the entire Beltug community in Papers or Recommendations.
There are quite a few topics already on the working group’s action list, including:
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login