Making Security Assurance More Business-Focused
In a fast-moving environment filled with evolving cyber threats, leaders want confidence that business processes, projects and supporting assets are well protected.
Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. However, there is often a significant gap between ambition and reality. Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses.
Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are. It requires a broader view, considering the needs of multiple stakeholders within the organization.
Business-focused security assurance programs can build on existing compliance-based approaches by:
- Identifying the specific needs of different business stakeholders
- Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
- Reporting on security in a business context
- Leveraging skills, expertise and technology from within and outside the organization
A successful business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should actively engage with each other to make sure that requirements are realistic and expectations are understood by everyone involved.
The Need for Change
Security assurance means different things to different organizations, resulting in a range of approaches and practices being adopted. Despite their differing approaches, organizations face common challenges that are driving a need for change.
The purpose of security assurance is to provide business leaders with an accurate and realistic level of confidence in the protection of ‘target environments’ for which they are responsible. This involves presenting relevant stakeholders with evidence regarding the effectiveness of controls. However, common organizational approaches to security assurance do not always provide an accurate or realistic level of confidence, nor focus on the needs of the business. Security assurance programs seldom provide reliable assurance in a dynamic technical environment, which is subject to a rapidly changing threat landscape. Business stakeholders often lack confidence in the accuracy of security assurance findings for a variety of reasons.
Common security assurance activities and reporting practices only provide a snapshot view, which can quickly become out of date: new threats emerge or existing ones evolve soon after results are reported. Activities such as security audits and control gap assessments typically evaluate the strengths and weaknesses of controls at a single point in time. While helpful in identifying trends and patterns, more regular reporting is required to keep pace with new threats.
There is often ambiguity over what the security assurance function delivers and the way it aligns with other functions in the organization, such as risk management, compliance and audit. This lack of alignment can lead to poor communication, stemming from failures at the governance and leadership level, adversely impacting the capacity to provide consistently reliable evidence about the effectiveness of controls.
Insufficient Focus on What Business Stakeholders Want
Poor communication between individuals responsible for security assurance and business stakeholders can lead to insufficient focus on the needs of the business. Complex demands can lead to confusion over which results from security assurance activities will be reported and how. Workshop participants generally agreed that business leaders do not clearly define requirements for security assurance or specify how they want the results of security assurance activities to be reported.
The primary focus of business stakeholders is to run the business – they cannot be expected to drive security assurance. Security professionals often resort to using IT or security-related jargon, making it difficult for business stakeholders with non-technical backgrounds to understand findings and recommendations. Understanding business requirements requires close engagement and clear communication between business stakeholders and those responsible for security assurance.
Even in cases where clear structures and channels of communication exist, the focus of security assurance does not always take sufficient account of day-to-day operational business requirements. In centralized, governance-led organizations, requirements may be set and driven from a central corporate level, with little or no input from leaders of business operations.
Moving Towards Business-Focused Security Assurance
Unhappy with current approaches to security assurance, many organizations want to establish a more business-focused program. Doing so requires reviewing current security assurance programs and defining organizational objectives for the future. Most organizations run a security assurance program of some kind, but implementation varies significantly. Individuals performing security assurance should have a clear idea of their responsibilities and remit within the organizational structure before progressing with plans for a future program.
The security assurance function typically operates under the umbrella of the information security department but can be positioned within other parts of the organization, such as risk management, security governance or audit and compliance functions. There are no hard and fast rules about where it should be positioned, but having a dedicated security assurance function with its own reporting lines provides the degree of independence – and therefore objectivity – that is required to run an effective security assurance program. As part of a review of the current program, individuals responsible for security assurance should evaluate the maturity of the security assurance function or its equivalent; identifying strengths and weaknesses in terms of people, process and technology.
Applying a Repeatable Process
Organizations should follow a clearly defined and approved process for performing security assurance in target environments. The process should be repeatable for any target environment, fulfilling specific business-defined requirements.
The security assurance process comprises five steps, which can be adopted or tailored to meet the needs of any organization. During each step of the process a variety of individuals, including representatives from operational and business support functions throughout the organization, might need to be involved.
A relatively small security assurance function, for example, may need to acquire external expertise or additional specialists from the broader information security or IT functions to conduct specific types of technical testing. However, in every organization:
- Business stakeholders should influence and approve the objectives and scope of security assurance assessments
- The security assurance function should analyze results from security assurance assessments to measure performance and report the main findings
- Prioritize and select the target environments in which security assurance activities will be performed
- Apply the security assurance process to selected target environments
- Consolidate results from assessments of multiple target environments to provide a wider picture of the effectiveness of security controls
- Make improvements to the security assurance program over time
A Long-Term and Ongoing Investment
An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences.
Security assurance activities should demonstrate how effective controls really are – not just determine whether they have been implemented or not. Focusing on what business stakeholders need to know about the specific target environments for which they have responsibility will enable the security assurance function to report in terms that resonate. Delivering assurance that critical business processes and projects are not exposed to financial loss, do not leak sensitive information, are resilient and meet legal, regulatory and compliance requirements, will help to demonstrate the value of security to the business.
In most cases, new approaches to security assurance should be more of an evolution rather than a revolution. Organizations can build on existing compliance-based approaches rather than replace them, taking small steps to see what works and what does not. Establishing a business-focused security assurance program is a long-term, ongoing investment.