To understand any businesses’ security posture, one must first understand the eight categories of cybersecurity that is impacted: security intelligence, fraud, people, data, application, infrastructure, business partners and outsourcing, and threat intelligence.
These topics serve as a great starting point for important discussions surrounding an organization’s security practice, with common security questions including:
1. What is your biggest security concern and is your security spend and expertise properly allocated to address that risk?
2. Do you have a clear picture of your overall security posture and of how it relates to industry best practices?
3. Do you currently conduct security assessments, such as penetration tests on a bi-annual basis?
4. How realistic is your plan to address the security gaps that you might have today?
5. Do you have an established process to address computer security breaches?
6. How confident are you of your ability to demonstrate compliance?
7. Given the skills gap that exists in security, do you view the ability to recruit and retain talent and expertise as a top priority?
While all are great questions, there’s something missing. Each address security processes in complete isolation. There’s no mention of business priorities, business risk, most valuable assets, etc.
Security posture that doesn’t tie directly to a company objective can appeal to security vanity, but doesn’t offer a true evaluation of where an organization stands. To help achieve this alignment, consider the following five more refined questions:
1. What’s the most important data to the business?
The security team should know what is important to the business. A strong defense can’t happen if what is being defended isn’t understood.
As much information is stored and transmitted in employee email boxes, make certain it is one of the first elements to be protected. Additional key items include intellectual property, contractual information, top client data, and any other information that makes the business function.
2. Where is the documentation for the incident response process?
At some point, an incident will occur. With this, it’s imperative to ensure there’s a strong process in place to respond. It should be clearly documented and well-practiced, with the ability to rapidly adapt to changing circumstances.
If there is no documentation, major red flags should arise. Incident response (IR) is a key pillar in any security practice.
3. Are current security controls working?
A deceptively simple question, but to answer it thoroughly involves discussing the metrics behind the security process, including operational game days, penetration testing, and a variety of other practices that require a mature security practice.
At the very least, the team should be able to demonstrate regular, simple testing of various controls. This is a core requirement for a compliance audit.
4. If asked about an organizational approach to security, how will employees answer?
Security education (not awareness!) is a crucial activity for the security team. It’s their job to help (with the support of senior management) a security culture within the company.
Most breaches start small. Attackers gain a foothold, and then move laterally within the network to reach their targets. In a forensics analysis after the incident, there are always multiple points at which an attacker could have been detected.
When security is part of the cultural fabric of the organization, people are more likely to raise their hand when something seems off. They’re also more likely to respect any security controls put in place because they understand the reason they exist.
Tracking the effectiveness of ongoing security education efforts has to be a key indicator of a good security posture.
5. What’s the most important thing missing from a security standpoint? Why?
The answer should always be: “more top talent with strong security skills, and more training.”
Notice the phrase, “more top talent with strong security skills” and not “more top talent on the security team”. Security is everyone’s responsibility.
Successful security practices are driven by security teams that educate and support the entire business. Building all teams with an eye towards security will move the business down the path to success.
Organizations should be investing in all three P’s: people, process, and products. Ignoring any of them can lead to failure. Security doesn’t exist in a vacuum. It takes continuous effort from everyone and that starts with communication.