Why it’s time to rethink what drives your IT security program
In the past, IT security was like insurance, viewed as an expense, not a revenue generator. That perception left IT with minimal dollars allocated to securing networks, data, and other assets. But with the increase in threats, ranging from malware to data and identity theft, security has become a priority for all organizations.
Over the past three decades, businesses have developed structured security programs as federal and industry regulations became more prevalent. The Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and Payment Card Industry Data Security Standard (PCI DSS) are some of the well-known guidelines that have advanced compliance-based security.
But regardless of the industry guidelines, both compliance controls and the threat landscape have evolved, introducing a new requirement to address: risk. Security can no longer simply check the box of compliance as it could in the past. Risk is the new basis for every effective IT security program.
An eye on compliance in a changing threat environment
Compliance became the criteria of success for many IT security programs because non-compliance could result in financial penalties. To avoid fines, technical solutions that assured compliance were created, and these solutions fit into a layered security architecture.
But as compliance requirements drove many security programs, the threat landscape evolved. In the ‘90s, most malicious threats came from individual hackers that focused on crashing networks. Along with the data explosion in the early 2000s came the realization that data had value, and instances of malicious code and social engineering attacks rose. Instead of a lone hacker trying to introduce a virus or Trojan horse to down a network or destroy a hard drive, automated bots and Advanced Persistent Threats (APTs) were created to steal data and personally identifiable information.
Today, attacks are more sophisticated, and involve targeted mass deployments of bots and APTs. In some cases, attacks like these can occur for more than a year before being detected. Keep in mind that many of these attacks are not destructive from an infrastructure perspective, but the amount of data a bot or APT can slowly steal from a private network can be massive.
Why modern IT security focuses on risk
This changing threat landscape has spawned improved solutions, such as Next Generation Firewalls (NGFW) for the network, monitoring and patching solutions for end points, and URL and email filtering solutions. IT professionals, recognizing the change in the threat landscape and improved security technologies, are shifting security programs to focus not just on compliance but on actual risk.
Even when focusing on risk, most compliance controls are the same, regardless of the source (SOX, PCI, HIPAA), and tend to be high level, vague, and open to interpretation.
When compliance is the primary focus, security controls are usually minimal and sometimes only apply to a specific business area; when risk is the primary focus of a security ecosystem, the entire IT environment is in scope and equipped with controls created to mitigate specific risk. The SANS Institute has developed 20 critical controls designed to address all aspects of risk mitigation for most businesses. For businesses in the health industry, HITRUST has created detailed security controls that not only focus on mitigating risk, but also meet the standards for most, if not all, government and industry regulations and guidelines.
For an organization focused on implementing or transitioning to a risk-based security approach, identifying a starting point can be a challenge: What comes first? Network architecture, technology, policy, or process and procedure? To develop a roadmap for a risk-based approach, consider an independent, third party assessment of your IT ecosystem. This security posture review will provide infrastructure testing and a review of current controls, resulting in a report that will support a strategic and tactical plan to address immediate risks and an ongoing risk-based security program.