Many organizations worldwide have widely accepted and internationally recognized security frameworks and standards such as ISO 27001, which provide guidance and direction for establishing enterprise wide security processes and procedures.
But problem arises when organizations channelize investments and resources to demonstrate compliance to such standards (eg, extensive documentation, huge checklists) instead of identifying and mitigating real risks. Similar has been the case with FISMA implementation in the United States-compliance to it has taken precedence over real security in the networks and systems of the federal agencies.
Organizations today need to be ‘really' secure, as the threat environment in which they operate is getting complex and dynamic; attackers are evolving innovative techniques.
In such a scenario, organizations cannot rely on certifications alone, even though they may help provide assurance to their stakeholders.
Though ISO 27001 standard is a good starting point for organizations for implementing security, it is not an end by itself. When organizations operate in a vibrant, dynamic, evolving, and competent environment-be it business, regulatory or threat environment as in the case of security, organizations can only survive if they are able to draw a roadmap for the coming years that looks at future conditions and requirements, strategic options, building required competencies, etc, and not just focus on the present.
This is achieved by doing long-term planning and drawing a strategy to achieve the defined goals. But how many organizations today have a security strategy? How many organizations have a 5 year vision for security? Unfortunately-not many. Many organizations fall short in the following areas:
Long-term Strategic Planning in Security
Today, security practitioners strongly believe that security should be treated as a business enabler and not as a hurdle-adding value to business, by allowing business to offer innovative solutions & services to international markets round the clock, increasing productivity, reducing cost, providing customer delight, etc. If such an approach needs to materialize, security needs to be revitalized by working more closely with the business and IT and being given strategic importance within the organization. Unfortunately, not many security frameworks or standard promote such transformation. Such frameworks or standards are focused on control implementation-controls that are static in nature, focused on mitigating the existing risks, not focused on addressing the futuristic requirements/risks that emerge from business expansion and innovation.
Building Security Capability/Competence
Security is a continuous journey, and no organization can be 100% secure. However it is important to measure the progress made/capabilities built over a period of time to address the evolving and perennial threats. This can be achieved by defining criteria against which an organization can measure its capability maturity in security. Many existing security frameworks or standards, on the other hand, promote a ‘yes/no' kind of approach to security, wherein an organization is certified as fully compliant if it has implemented the relevant controls. It does not provide any maturity criteria, which organizations can leverage to improve their security competence.
Focus on Protecting Data
Security frameworks or standards that are asset centric and process oriented help provide guidelines for conducting operational tasks in a pre-defined manner, but if too much focus is given on processes, then it may happen that the objective for deploying a particular process may get lost (outcome may not be achieved). This also at times results in loss of productivity and is perceived as bureaucratic. In today's digital world, data has an economic value attached to it. In fact, in some industries like pharmaceutical, data is the life line of the organizations operating in the sector. Hackers and rogue insiders vie for this critical data. In such a scenario, the focus of all the security efforts should be on data, with lean processes and intelligent technologies deployed to protect it. Unfortunately, security implementations today result in lot of documentation, shifting the focus of the organizations to documentation preparation instead of addressing the real risks by protecting critical data.
Tracking Security Evolution
Security as a discipline has evolved over a period of time. The stimuli have been many-the dynamic threat landscape, strengthening regulatory regime, research & innovation, globalization, business models, technologies, etc. For an organization to be secure it is important that it keeps track of all the latest developments taking place in the field of security-be it skills, technologies, or services. Today, specific security disciplines have evolved with very specific approaches to address the unique challenges faced. Specific trends and practices have been emerging to address the exact requirements of an individual discipline. The security market, both technology products and services, has solution offerings specific to an individual discipline. Security profession is also charting a path of specialization in these individual security disciplines. Many security standards or frameworks, on the other hand, do not take into consideration these evolutions. For eg, management of threats and vulnerabilities is a very critical discipline today, requiring specific skills, technologies, and practices but there are no adequate guidelines provided by many of such frameworks or standards. Similarly, disciplines like secure content management, governance, risk and compliance do not find their rightful place. Such frameworks or standards fail to provide strategic and contemporary directions and guidance to organizations that are implementing and maintaining security.
Integration and Inter Dependencies
Many of existing security frameworks or standards do not take an integrative approach as they are focused on individual controls that are described and deployed in silos.
There is a need to approach security differently-a way that helps overcome the above shortcomings of existing security frameworks or standards and enables an organization focus on real threats in its environment, without worrying about compliance to regulations. It should be able to assess organization's maturity in implementing security in different areas with a view to continually improve the same. Such an assessment should further help organization draw a strategic plan based on evolution of different disciplines of security, and their inter dependencies, with continuous focus on protecting data. Compliance should be the outcome along with dynamic and vibrant security that enables quick response to threats, vulnerabilities and actual cyber attacks.