For many organisations maintaining and improving their security posture is a complex journey because there are many actors across the business that directly or indirectly play a role in the execution and ongoing management of security controls to support the battle against cyber-crime.
Actors include teams with responsibility for administering systems, applications, networks, storage and software development but the boundaries do not start and end in IT. By way of example HR is responsible for making sure that potential employees are screened properly before they join and making sure that when employees leave an organisation that they are off-boarded correctly. If there are shortcomings in these processes it leaves the door open for potential exploits. Coordination between HR, security and IT teams is very important to prevent this.
Another example of where co-ordination is important relates to 3rd party supplier relationships. These relationships are often owned by different groups across business operations. The vendors in question may provide IT infrastructure, applications or even have direct access to in-house systems, to support discrete business processes, and the owners of these relationships should ideally work with IT groups and security to ensure that the business’s security posture is not compromised.
This level of coordination is not unlike a theatre of war where success is determined by how effectively those in command orchestrate land, air and naval forces, each with their own human resources and military hardware, against the enemy.
With all of the different actors participating in maintaining an organisation’s security posture, governing information and cyber security and making sure that business stakeholders have a clear and accurate picture of the current state of the compliance can be a big challenge for CISOs’ and Security Officers.
Too many organisations are still managing the process of enforcing their security controls informally which generally leads to inconsistency and also resulting in no feasible way to measure their effectiveness on an ongoing basis leaving the door open to potentials exploits.
Introducing software to orchestrate the process of enforcing and maintaining the compliance of security controls is a big step forward as it introduces greater consistency and rigour to the process and provides the basis for effective measurement so that control owners, security teams and executives can clearly understand where there are weaknesses and take action to address these on an ongoing basis.
At the coal face orchestration software enables greater consistency because it provides a regimented approach that can be applied to all security controls to collect the evidential proof of compliance, flag situations where controls are not compliant and drive the necessary actions to remediate these. It also provides the capabilities to escalate situations when control owners fail to take the necessary actions, ultimately bringing this to the attention of security officers, IT and business executives so they can address these situations.
In today’s theatres of war, technology and automation are being used more extensively to complement human resources to provide more predictable outcomes. In the context of information and cyber security compliance, organisations should also ideally strive to move beyond just using human resources to carry out compliance checks where possible. Using automation to perform discrete compliance checks increases their accuracy, coverage and frequency enabling ongoing improvements in an organisations security posture while freeing up the time of those involved in managing the process of security compliance from low level tasks.
It is important to remember that automation of discrete tasks on their own is not a silver bullet in maintaining security compliance. We should not lose sight of the importance of the broader orchestration capability required to co-ordinate the execution of individual tasks, in sequence with other tasks that comprise an overall process. The steps in the process of maintaining compliance of individual controls may include a series of checks, escalation of non-compliance to relevant stakeholders and remediation. Depending on the maturity of the organisation each one of these steps could involve automation or be carried out by humans so the orchestration software you select should provide the flexibility to support any combination of both.
The good news is that orchestration software has been around for a long time to facilitate what I have described above, however, it is important to consider utilising a solution that already comes pre-built with domain specific workflow, automation and reporting for managing security compliance as this minimises an organisations time to value and ongoing benefit realisation and development effort.
If you would like to learn more about how Caveris can help do not hesitate to reach out to us, explore the resources on our website or sign up for a free trial.
This article was originally authored by Andrew Mallaband from Breakthrough Moments who is a member of the Caveris Advisory Board.