– By Dinesh K. Pillai, CEO, Mahindra Special Services.
Today the media is flooded with stories of hacking, data loss, phishing, trojans etc. These breaches are wide-spread even in organizations, both government and private, local or MNC, which are certified with various certifications. There are several figures in USD Bn attributed to these kinds of attacks quoted by various research organizations, though the veracity of each figure can be questioned. Unfortunately, the organizations are yet to understand the impact of information security breach on its brand, competitive advantage and legal issues because these are generally intangible and hence difficult to measure. The belief that a certification is good enough to protect information is the biggest fallacy of the organizations. Lack of focus on other critical domains when we talk about protecting information makes it all the more difficult to achieve the objective.
Information risk management: Perception vs. Reality
Let us look at the classical way of risk management in any organization. The belief of top management about risk is focused around financial and operational risks, IT risks and other compliance related areas. Hence lots of investments in terms of money and resources are made to strengthen the above areas, which either is required for survival or for compliance to various laws. Interestingly the top management measures every investment in business with parameters like the ROI for example. However, there are no parameters available to measure the performance of the investments in security and risk. The management looks at audit reports as indicator(s) of how the security investments are performing. Herein lies the biggest challenge that the organization(s) need to overcome if they really want to be secure. Audits are definitely not the real indicator of the performance of the Risk Management Framework. Let me tell you why.
- The audit process itself demands that the audited, should be informed of the audit schedule in prior. This pre-warning results in necessary preparations to clear the audit.
- The audit is done on a small sample or in-phase basis and at times for less than 2 hours in a department. It is difficult to figure out the performance of t control in such a small time frame.
- The audit is a Compliance Process. The Auditor will check for the implementation of documented controls. So, even if there is a much bigger risk in the business, the auditor is not duty bound to report the same since it is not within his scope.
- The major issue is the way top management interpret the Audit Report. Compliance to a control does not necessarily mean that the control is executed. This is a dichotomy. Let me explain this with an example. Most of the organizations implement complex password policies, which are complied with as well. The intent of the password policy is to create a password, which is difficult to break. If the compliance is an indication of the functioning of the control, then why do most of the people use password 123 or company name123 or their name123 as password?
The compliance and audit reports create a false sense of security in the minds of top management, where as the reality can be diametrically opposite. This perception can lead to catastrophic consequences. It is essential that the organization calibrate the gap between perception and reality as far as the Information Risk Management is concerned.
Critical Factors, But Ignored
Now even if we assume that the IT security controls are good enough in an organization, it does not imply that the information security is as per the expectations since we tend to generally overlook some critical areas like physical access to information, processes and human capital.
Let us look at physical access. Most of us believe that the physical security is a ritual that we do at the main point of entry.. And once a person crosses it, he is assumed to be a trusted person and is pretty much free to move around in most of the areas in the facility. Think about an employee who is given an authorized access. Do we ever check the physical access that he has within the office? The same information, which is well protected in IT space, is easily available within the office, which an employee or a partner can easily access. There are lots of unlocked workstations in organizations that facilitate unauthorized access to data in the IT systems. An access to a switch or a router can bring the complete network down. Then what is point is investing in IT security, if the same information is easily accessible. Don’t you think it is an investment giving no return?
The other area worth mentioning is that of the process gaps, that when get aligned creates a path for the information leakage. The challenge here is the top down approach in the process audits. In this method, the audit usually throws up some gaps, which may be minor in nature. However people with enough motivation and who have access to information systems will know the gaps in every process and they will align these gaps to create the data breach or fraud. This explains the increased instances of data breach that is getting reported now.
The major risk in information security is the low awareness levels of people with respect to the value of information or the basic hygiene that they need to practice when handling information. Most of the time, attackers exploit the human element to breach into highly secured infrastructure. However we prefer to wish away this risk stating the cultural issues in putting control around the Human Capital.
Change the thinking – Bring in Attacker’s perspective
Let us figure out how we can improve our defense levels in an Information Security Framework. We need to bring attacker’s perspective into audit.
The first and foremost requirement is to move away from the Compliance Audit to Effectiveness Audit. In the effectiveness assessment, instead of checking the compliance, the audit team should try to break the control in whatever manner it can be done. The aim should be to break the control identifying the weakest link. It can be a minor process gap, technology vulnerability and human failure or a combination of these factors that can result in a breach. In this method, you are testing the information ecosystem from a 360-degree perspective rather than as stand alone process.
Accountability is one issue that needs focus if the framework needs to be implemented properly. In most cases, the accountability of the framework implementation rests with the IT or the Admin team, where-as the ownership should lie with the business organization. There is generally a lack of interest in the business organization towards the implementation of the information security framework because the normal audit reports only indicate the gaps, not its business impact. If we need the active presentation of business in the information security initiatives, then business heads should be shown what they understand i.e. MONEY. Yes, we need to show the business heads the impact of the current state in revenue terms either as a financial loss or competitive advantage impact. To do this, we need to move beyond the normal audit and exploit the gaps to capture the business impact and present this as the audit report. Once they see the impact that their business will have, it is just natural that they give mindshare and commitment to the implementation of the framework.
To conclude, the only way Information Security Implementation can improve and sustain is when there is an attempt to move away from the contemporary compliance audit to effectiveness audit. Along with this, we need to highlight to the Leadership and top management, the business impact of the weakness in the system(s) so as to ensure that the Framework Implementation is driven from the CXO level with a firm commitment.