Designing a business aligned cybersecurity program

Luqman Kondeth, Associate Director of Technology and Security Architecture at New York University Abu Dhabi discusses the importance of aligning the business needs along with organisational security program.

Perceptions of cyber security has been dominated by portrayals of a good vs evil fight in popular culture. Type in “cybersecurity” in a search engine and you are presented with images of padlocks, barb wire, people in dark rooms hacking , guard dogs, viruses etc – all of which are tools to keep the bad guys from harming yourself or your work. When perceptions about cybersecurity revolve around tools, we get a security program which prioritizes itself, a means to an end in itself.

Take a slightly different approach and ask your ten year old daughter on what security means to her. She might point at a picture of her mother. The warm secure feeling of comfort in her mother is “security” for her. It is a property of the safety and trust that her mother provides. This feeling of safety in her mother, her trust in the environment allows the child to innovate, explore and perhaps grow up into an extra ordinary individual.

Enterprises and businesses are not much different.

When is a business secure?
Cyber Security defined in terms of the padlocks, barb wire might present itself to the business in terms of file encryption , anti virus and other tools or standards to be compliant to. While they all provide important facets of cyber security, to allow cybersecurity to enable the business it is important that Cybersecurity chiefs/CISO start their security program with the business in mind. i.e. a Top down approach.

It cannot be understated how important it is to talk the business before starting your cybersecurity program.

A bottom up approach will tick compliance boxes and definitely put some “industry best practices” in place. However, has there been any evaluation on what the impact to the business is when putting these controls in? Did the security measure slow down or block a part of the business? What was the impact of these measure to the business? A recent example was when disk encryption was made mandatory on all department laptops to prevent data leakage via lost devices. While this definitely allowed to tick the box for encryption compliance, what wasn’t anticipated was that these would slow down the finance department. This was because the finance department uses very large excel sheets that have 50,000 lines or more in it and encryption made working on these excel sheets slower. Possible compounded impact could mean vendor payments get delayed and staff in remote locations go without essential supplies for their work.

This was a case of a security control applied from bottom up without a full evaluation of impact to business.

Where do we start?
Talk to the business before deciding on what the security program will look like. Understand the business by talking to individuals about their work and avoid talking about security. Understand what is it that drives the organization and the people in it.

Start with scheduling interviews with key stakeholders in different departments and document their job profiles, their drivers, requirements, constraints and motivators. These are not “security interviews” but refer to these interviews as an exercise in IT understanding the business. A good framework to use is the SABSA ( architecture methodology and specifically their attribute profiling. While any methodology may be used, the key objective is to understand what success means to the stakeholders.

Quite often, casual remarks in these sessions throw the most important pieces of security information that can lead to big wins.

Once these are documented, map out the department goals and priorities into the core business goals.

Now schedule further time with staff from these departments to do two types of meetings. The first is an interview format where the security understands what tools, systems and data is used by individual business roles. Follow this up with observing or shadowing different departments to get a feel of what each role goes through and how technology impacts different roles.

Now map out how all this information relate to each other. This way you now have a direct link from organization goals to the technologies & the controls that you would want to deploy.

You will end up with something similar to the below
Core Goal 1 —> Department goal 1.1 -> Success factor 1.1.1 -> File encryption standards
Core Goal 1 —> Department goal 1.1 -> Success factor 1.1.1 -> Secure Email service required (Current GAP)
Core Goal 1 —> Department goal 1.2 -> Success factor 1.2.1 -> Department secure central file store required for enterprise wide file sharing

A security program built around the business will move away from the blocking mentality to one around enabling the business. Security will start to be seen as the property of internal environment within the business, employees can feel secure in the systems provided.

This view of the business should inform the security program required, the controls to put in place and the tools to be used. Derive the characteristics of the security program from this information.What this means could be to create goals for the program with statements like below

  • Privacy of data is of high priority: Data will be used only for its intended purposes
  • Safety of data: Data will not be altered
  • Trust in systems: Employees and customers will trust systems provided

Or questions like

  • Should your systems be agile?
  • Should your systems be fast?

When these principle statements defined by user input drive the security program, we end up with a security program that is dictated by the business or in other words demanded by the business.

These fundamental principles can then be used across all domains. For example when thinking about third party risk, the following questions maybe asked to third parties

  • How do they ensure privacy of your company data
  • How can you trust their systems ?
  • Are their systems agile to change according to changes in your organization ?

Once you have this in place, security controls can be defined in terms of business enabler functions. New security services required to further enable new opportunities can be developed and deployed further enabling the cyber security head/CISO to play a crucial role in enabling the business.

Security can then be started to be seen in terms of the property of the principles laid out by the security team which in turn were demanded by the Business.

Cyber Security now becomes an enabler to the Business.