From the boardroom to operations – moving from infosec governance to practice

Ten years ago, security was a line item in most company IT strategies, if it was mentioned at all. But with the advent of mega-breaches in late 2013 through to nation state attacks such as the OPM breach a year ago IT security has leapt into the boardroom and C-suite.

That has meant a shift from point-solution based reactive operations to a more strategic view and a focus on governance, policy and process.

Michael Brown, Rear Admiral, United States Navy (Retired) is Vice President and General Manager of RSA’s Global Public Sector business.

He works closely with governments around the world and private sector companies. We spoke with him about the transition from governance and policy and how it is progressing in the public and private sectors.

“I do see a definite maturation between where the boards, C-suite and operators have been over the last several years to now.

Boards now understand that it’s not just about setting the policy but they need to understand the risks and equate the risks to the businesses they are in”.

Brown says C-suites are paying attention and providing a conduit between operational teams the boards. That means an increasing awareness that the security organisation needs to be connected with the rest of the business.

Different industry sectors are at different levels of maturity he says. Banks are at the high end with security awareness strong all the way from board to operators. There are some valuable lessons to be learned from this.

“I think it’s the combination of risk, regulation and, because they’ve been so visible as targets they realised they had to do something,” he says.

That’s being reflected in other sectors such as the energy and communications he says.

With many companies in the throes of dealing with shadow IT in its many forms, such as the use of personal devices at work and the ease with which cloud services can be procured, Brown says it’s critical that a culture of using technology securely is fostered.

That extends beyond the traditional company borders and throws the security posture of SaaS and other cloud-services under the spotlight.

“In more mature sectors there’s a realisation that end users can’t assume or abrogate accountability. As a business, we just can’t say we’re outsourcing an individual’s privacy,” Brown says.

When it comes to whether the private or public sector is moving faster when it comes to information security, Brown’s observations are that both sides of the coin are moving ahead.

“At least four of the Five Eyes, between the US, Canada, Australia and the UK have all updated their cybersecurity strategies based on lessons learned.

They’re throwing additional resources, changing decisions about roles and responsibilities in governance. That demonstrates a maturity”.

That doesn’t mean it’s all plain sailing. Brown notes there are still discussions about where the lines of responsibility fall between the government and private sector.

There’s also a perception issue says Brown. Once policies and budgets have been fought for, refining policies and gaining incremental financial support becomes easier as the initial business case has been established.

As a result, there’s no big bang – the work becomes focussed on execution.

As for where the public and private sectors are in their information security maturity.

“Governments are much more focussed on ensuring the governance, policy and strategies are out there as they include the private sector as they include various responsibilities and authorities. But the private sector is moving very fast on the governance.

It is putting in place a risk based policy, tools and models such as cybersecurity frameworks that make it easier to put a governance model in place.”

As for execution, Brown is seeing both government and commercial entities trying to reduce the number of different tools they use and consolidate their infrastructure.

The past focus on installing point solutions to deal with specific threats is giving way to a more holistic approach.

“You can have as many tools as you want. But if you don’t have a strategy and idea of how to employ the capabilities it’s very difficult.

There’s a recognition that the old strategies of having those tools or relying on a strategy of sole prevention is the wrong strategy,” says Brown.

That means looking for tools that can integrate and support the use of analytics tools.

Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.Start Survey NOW