One of the difficult parts of being a CISO is determining the state of your security operation. In addition to securing the corporation assets, the CISO must address the many compliance obligations, some of which impose very specific requirements to protect highly sensitive information.
In addition, the CISO must address the protection of intellectual property from those who would prefer to steal the information rather than develop the technology themselves. Each industry has, or should have, very specific regulations or guidelines for protecting the data and systems of enterprises that are their constituents. Some of the notable regulations and guidelines that impact us every day are:
· Payment Card Industry Data Security Standard (PCI DSS) used by companies in the payment card industry (credit and debit cards) to protect sensitive information received through the use of a payment card
· Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act provides security and privacy practices for healthcare providers that acquire healthcare information
· Federal Financial Institutions Examination Council (FFIEC) provides encompassing uniform principles, standards, and reporting from a number of organizations that have oversight over our financial institutions.
Few of these industry-specific regulations and guidelines provide insight or interpretation on how an organization might approach implementing the elements of the respective regulations. The guidelines provided by the FFEIC is a notable exception. Any given company may find itself subject to multiple regulations from multiple agencies. For instance, a financial provider may find itself subject to all three of the regulations and guidelines listed above.
So how does a CISO begin then to build security, privacy, and risk strategies given all regulations that they may face? How does one, for instance, understand all the networking provisions of each of these regulations?
But another issue rises to complicate developing our plans. You’ll hear security professionals often say “compliance does not equate to security” or a variation like “just because you are compliant doesn’t mean you are secure”.
These statements underscore the fact that compliance regulations and guidelines are often focused on protecting the sensitive data corresponding to their specific industry. Furthermore, it takes time to bring standards up to date with the evolving threats that face an enterprise. An example is seen in the approach to malware.
Most regulations require anti-virus software be placed on computers and servers to protect against malware. But most anti-virus software provides limited protection against the malware, spam, and spyware that threatens our users. Thus, IT and security professionals look to companies that provide endpoint solutions to protect users and innovative software, such as predictive intelligence, to assist security staff in protecting servers, data stores, and applications.
Where does the CISO begin?
The CISO must understand what it is that they are trying to protect and the constraints they face. The first part of that statement is “easy” to accomplish. Simply take an inventory of all assets – end points, networking equipment, servers, applications, printers, networks, connections to the internet, and every location where sensitive information is stored. You can probably add many more items to this list. Let’s say you complete that inventory; how do you keep it up to date? Undoubtedly by the time you complete the inventory, changes will already need to be captured.
What about the second part of the above statement – understanding all the constraints that the CISOs face? Like a physics problem where we ignore the effect of friction in our problem, let’s ignore for the moment, the impact of budgets and corporate politics in our problem statement. The CISO must understand all the regulations impacting their organization in discrete detail. In addition, they may want to bring into the mix their preference of security framework such as ISO 27001/2, NIST SP 800-53, or the NIST Cyber Security Framework to provide more depth to the security dimension of their strategy. How does one address all these disparate frameworks and compliance obligations and develop a strategy for their company?
In part two of this blog post, we’ll look at strategies the CISO might adopt to overcome the massive task of developing a strategy that addresses the security, compliance, and privacy concerns of their enterprise.