Putting information security at the centre of business

As business has become ever more dependent on technology it has become better understood that that technology must be secured. Most businesses are not technology businesses, though, so a relentless focus on tech has the potential to cloud the real issue: information.

Asked if there was a general understanding in the market that security is about more than IT – taking in technology, yes, but also policy and procedures – Brendan Fay, chief operations officer, security division at Ekco said there was.

“I would think, yes. Certainly, in the medium-sized enterprise space we see it,” he said.

But what does this mean in practice? Fay said that rather than focussing purely on getting the right technology to combat the threat actors out there, the correct approach is to focus on business and, with it, information.

“It’s about information security as opposed to IT security: the whole approach to governance, risk and compliance. It’s about your roles and responsibilities, and the person whom they report to should be outside of IT,” he said.

The three pillars of a successful strategy are governance, risk, and compliance, each of which is subtly different from one another but, taken together, create a working strategy and methodology for protecting a business or other organisation from both malicious attacks and inadvertent errors.

“Typically we would start with a full assessment of the business, asking ‘what are your assets?’ and ‘what are your concerns?’ Then, compliance is data protection, and other industry specific regulations,” said Fay.

As recent years have seen all businesses become more reliant on technology, the urgency of the matter has increased. Businesses recognise this, Fay said, including the paradox that it is not all about tech.

“Awareness of it has reached the boardroom, particularly ransomware. Typically board members may be aware of it [and] they know it's more than just an IT issue,” he said.

Ekco typically follows NIST Cyber Security, and ISO security frameworks at the assessment stage.

“Typically, we follow the information: where is the key information? what is the asset, which is typically information, what are the threats that could happen”?

The goal, he said, is to assess, protect, detect and respond.

“The assessment would say “here is the prioritized list of risks, and you need these controls to protect’ [but] it's about the availability of that information as well. The purpose of the IT systems is to support the business function, so we start with asking what the business function is. If a client hasn't a clue where to start, we ask what information do you keep, where does it go?”

A technical review is involved, but there are also governance and risk management reviews that ask not only what information is kept, but why.

Naturally, protection itself is mostly a question of technologies, and these have changed in recent years due to both the changing threat landscape and changed modes of work. A modern approach, Fay said, typically includes zero trust authentication and, increasingly, connectivity through SD-wans.

The goal, however, is to prevent attacks, detect the ones that get through our defences, and quickly respond to them.

“You have to be able to detect if somebody is in your environment. The dwell time could last from a few days to a few months. You need to detect that they're there and get them out. The next thing is they need to be monitored 24/7-365. There's no point responding nine-to-five,” he said.

Fay said this is where service providers help, given that businesses often don't have the capability to respond, and certainly not on a ‘round the clock basis.

“The other side is: they got through your defences, you didn't detect them, or didn’t respond. Now we're talking about crisis response, but you don't want to go there,” he said.

The issue is, however, that at least attempted breaches are inevitable.

“It is a matter of time. It's not a matter of if. If you've done your homework, you can try to absolutely minimise the risk. The technology has changed; you need to stay with the [hackers'] level of sophistication, you need to be upping your game,” said Fay.