31 Aug Getting your cybersecurity strategy right
Before you can pin down your cybersecurity strategy you’ll need to gather the right requirements, says Brian Chappell, Chief Security Strategist EMEA & APAC, BeyondTrust.
As businesses across the Arab Gulf try to get back on the path to prosperity, they find themselves more beleaguered than ever by security concerns. Compliance continues to be part of everyday commerce in the region. New rules such as the United Arab Emirates’ Personal Data Protection Law are enacted frequently and business leaders must tally their obligations with the increasing complexity of the hybrid networks and platforms that hold sensitive data.
In trying to remain compliant, enterprises may tend to run for the nearest shiny solution. But as with any technology offering, requirements gathering must come first. Here are five tips to get this right in the realm of cybersecurity.
Understand the stakeholders
Whether they are supplying money, resources, or support, each stakeholder will have their own angle on the project and may even have their own distinct perspective on what constitutes success or failure. The CISO must navigate these wants and send the clear message that in cybersecurity, everyone is a stakeholder, and everyone bears some responsibility for success.
This means that everyone should be represented at the table. Each department or group should have a voice. Proxy stakeholders that speak for each group should be at as many project meetings as possible and security leaders should seek to win over all of them if a project is to succeed.
To achieve this, CISOs will need to get to know what makes each group tick — what they do for the organisation and how they do it — and use this information to facilitate a breakdown of the perceived barriers between business functions.
Be problem-oriented, rather than solution-oriented
It is easy to get bogged down in ticking boxes and researching technologies. If an organisation discovers a problem, the first step should be defining the business benefits of solving it, rather than just assuming the elimination of the gap is a reward in itself.
For example, an audit may reveal inadequate controls in the use of privileged accounts. This is a common situation across the region, caused by too many people having access to privileged accounts amid an overly complex security model. In this case, looking immediately to the solutions market would be a mistake. First, by undertaking a review of the organisation it will be obvious that reducing access only to those who need it at the time they need it and only for the purposes they need it, will not only solve the problem of too many people having access; it will also reduce the complexity of the security model.
Change processes first
Procuring new tools will require organisational changes. But it is important to remember that a process change may require a cultural upheaval. This goes beyond mere education of staff to enable them to use the new tool. People, processes, and technology must all work in harmony to add value. Get this part wrong and return on investment will be negatively impacted and the project may even fail.
If project leaders keep sight of the fact that technology is a tool used by people to execute processes, then adoption of new solutions should be more successful. The tool should fit the process change, not the other way round. If we consider privileged accounts again, complexity and a lack of control suggests a process change in access management towards privilege-focused access. Any procured technology should follow that requirement, and users should be trained in the new process as well as the new technology.
Across the technology world, requirements gathering is used to discover a mixture of domain knowledge and pain points on behalf of technologists who may not be familiar with the problem they are trying to solve. As a result, end-user respondents may end up ‘designing’ the solution, requesting features and stipulating how the system should be implemented.
And when stakeholders are consulted too late in the process and discover that changes to their working practices have been agreed upon without their consultation, they may seek to derail the project. It is therefore advisable to ask everyone for their input at the outset and have everyone evaluate the entire collated set of requirements against perceived business benefits. Such feedback has the added advantage of forming the foundation of KPIs for future evaluation of the solution. The polished set of requirements (representing an organisation-wide view of a beneficial solution) is now ready to be sent to vendors.
Make cybersecurity an integral part of the business
Treating security as an add-on rarely ends well. No matter where a business operates — the UAE, the GCC, the Middle East, MEA, or around the world — there is no escaping the long arm of regulation. Compliance has become fundamental to doing business, so it is only natural that the cybersecurity that delivers it should also be considered fundamental.
Today, headline-grabbing cyberbreaches are all too common. But the big names and big events are just the public tip of a colossal iceberg. Cybersecurity is vital to our business and economic continuity. CISOs are under constant pressure to ensure every system is secure. They must bake cybersecurity into all processes, everywhere. And once they do, all systems can become net additions to business value.
Living security connects people, processes, and technology in a way that adds value to the enterprise. The region’s stakeholders, be they security, general technology, or line of business, can no longer afford to approach security with their own unique agendas. An enterprise-wide vision of a secure digital estate must be our guide. Only then can we consider our requirements as well and truly gathered.