Securing information assets is a continuous process, with new threats and user demands emerging every day, which requires changes to control frameworks. But the dynamic nature of security and the increasing need to allow information to “travel” are not good reasons for security managers to push data protection responsibilities to business managers.
I decided to put pen to paper when I read a recent CSO Online article by Andrew Jaquith. Jaquith starts off the piece by attempting to make the case that things are getting too complicated for CISOs; they need to offload some of the work of protecting information.
Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.
Source: Data Security: Whose Job Is It Really?, Andrew Jaquith, CSO Online, 30 March 2009
As I read through this, I remembered the days when I tended to get confused about the right things to do. That was before I decided to take a different approach. Instead of reacting to vendor assertions and emerging threats, I developed a strategy to build a controls framework which encompasses all types of threats in general, with flexibility to address individual issues as they arise. This is supported by a threat/controls matrix which allows my team to view at a glance gaps in our defenses. If a vendor calls with their newest product or an exploit is announced, we use the matrix and an accompanying exploit assessment process to determine if we are already protected. We quickly determine whether we care about new solutions, exploits, or vulnerabilities without eating up a lot of resources.