
Enterprise Security: What does it really mean?


Kevin Powers, Founding Director, Boston College
Whether you’re at a cybersecurity conference, participating in a webinar, or reading an article like this one, you are often bombarded with these catchy sayings regarding enterprise security: “It’s a team sport”; “It’s about tech, people, and process”; or “It’s not a tech issue, but a business issue.” Then you are told that you need a compliant information security program, along with an incident response plan, that is certifiable to any one of the NIST, COBIT, ISO, or other popular frameworks, so you can avoid the wrath of the regulators. Okay, all true, but what does that really mean?
To help clear things up, let’s look at what the National Institute of Standards and Technology (NIST) has to say. According to NIST, an information security program is a “formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.” NIST also recommends that you implement an incident response plan—“a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against an organization’s information systems.” The NIST then points out in its framework for improving critical infrastructure cybersecurity that there's no one-size-fits-all approach to managing cybersecurity risk. Wait. What? Again, all true, but what does that really mean?
To best help you get a sense of what an enterprise security program really is and provide you with some key takeaways in developing and implementing one, I’ve pulled in the experts to provide you with their thoughts. Here’s what they had to say:
Kevin J. Burns, Chief Information Security Officer, Draper Labs:
The highest priority for any enterprise security program is that it aligns to the short and long-term business goals. It is immeasurably valuable to routinely (via an enterprise security board) include input from the business managers and line staff into security program technologies and processes. The enterprise security board truly drives adoption and ensures adherence to policies company-wide in so far as within the board, users, senior leadership, and decision makers are present and their input adopted, and then presented to the Board of Directors. The program should be built upon a hybrid model of bottom up, bi-directional in the middle, and most importantly top down adoption. These collaborations are a major shift from the siloes that previously existed and necessitate a change in attitude. Only when all within the business have bought into the program does it become successful.
Etay Maor, Executive Security Advisor, IBM Security:
Your enterprise security program should not be a “check mark” on the auditors’ page. That approach trickles down and is manifested in the operational and tactical levels resulting in the minimum necessary investment in cybersecurity policies, procedures, tools, and training. For an effective enterprise security program, organizations should make cybersecurity a goal or a business differentiator and develop a cybersecurity culture on the strategic level that is then clearly represented in its program. Also, make sure your incident response teams are not just the technical/operational teams…you need legal, PR, R&D, DEVOPS, senior management, and the Board engaged. I personally think that the most important element of incident response is that the teams must be trained in simulated attacks so that when the time comes no rules or procedures are written on the fly; it's all muscle memory. Train hard, fight easy!
The NIST then points out in its framework for improving critical infrastructure cybersecurity that there's no one-size-fits-all approach to managing cybersecurity risk
Kevin L. Swindon, Corporate Vice President, Global Security, Charles River Labs:
With the on-going trend of the convergence of physical and IT security and the fact that organizations are facing complex blended threats, it is now imperative that organizations take a holistic approach to protecting their assets. This needs to concentrate on three critical areas: risk; compliance; and preparedness. A security program must always minimize the risk to the organization’s assets while ensuring compliance to both internal and external requirements such as local, state, federal and international regulators. A key factor in the success of any enterprise security program is the organization’s ability to respond to and mitigate a critical incident. To ensure the organizations readiness, they must continually test their ability to respond and make practicing their preparedness a part of the corporate culture.
Cheryl Davis, Managing Director, Cybersecurity, FTI Consulting—Washington, D.C:
An enterprise security program needs to take into account that cybersecurity is more than just an IT issue and recognize that cybersecurity risks impact the entire business. Thus, the first step in developing a program is having a thorough understanding of an organization’s critical data and assets. Overlaying on this the risk landscape—which is unique for each organization—will enable leadership to prioritize and tailor measures to enhance the resilience of such critical assets and data to threats and vulnerabilities. It is also critical to have a response plan in place prior to an incident. This plan should lay out the process for responding to an incident, include key stakeholders across the organization, and clearly state their roles, responsibilities and expectations during an incident. The plan should also identify thresholds for elevating decision making and when to engage third party expert support and law enforcement. In the heat of an incident response where there are so many moving parts—from the technical response, to determining if notifications to regulators or law enforcement is necessary or required, to releasing any public messaging—all stakeholders must be aware of their incident response responsibilities and be active participants.
Scott T. Lashway, Partner, Holland & Knight, LLP—Boston Office:
I believe cybersecurity risk lies at the intersection of humans, technology, and the law, and these circles represent the core aspects needing to be addressed by an effective security program. Although you cannot control exactly how all cyber risk is presented to your organization, you can, and you must, control and manage your response. It is critical, however, to align the security program to the organization’s (business) strategies and objectives; without doing so, the program can become an obstacle or can be ignored all together. Organizations should also seek legal advice as to all matters and risks presented by a security incident; from strategies and tactics of an investigation as well as compliance with the constantly growing morass of relevant laws and regulations, to seeing around every foreseeable corner to prepare for risks that have not yet materialized. You really need to begin preparing your defense from day 1 of any investigation and, with any luck, long before an incident develops.
Thanks to the above input from our contributing experts, you now have some clarity as to what it really means to have an effective enterprise security program. Most importantly, you should realize that cybersecurity is not just cool buzzwords and taglines or a check in the compliance box. Instead, cybersecurity is complex and something you should not try to learn and do on your own. Listen to the professionals. You won’t regret it!
See Also:
Top Enterprise Security Startups
ON THE DECK
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
What It Truly Means For IT Security To Bea Business Enabler
Digital Transformation 2 Requires a CIO v2.x
Leverage ChatGPT the Right Way through Well-Designed Prompts
Water Strategies for Climate Adaption
Policy is a Key Solution to Stopping Packaging Waste
Congestion-Driven Basis Risk, A Challenge for the Development of...
