Cover Feature Cyber Security
Managing risk in an enterprise security environment By Stewart Hayes
S
ecurity has different meanings for each organisation depending on their business sector, operational locations and operating model. These may influence their view on what is important - cyber, physical or personnel (insider threat) security and, as a result, how they approach security management. This has tended to influence their choice of staff and skillset required to oversee their security infrastructure. However, nearly all organisations are now faced with a multitude of threats which could impact their ability to operate effectively, meet their business objectives and protect their stakeholders’ interests. Converged Security is a topic that has been around for a number of years. The Alliance for Enterprise Security Risk Management formed by ASIS, ISACA and ISSA used to issue an award for the best approach to delivering security convergence. Unfortunately, this alliance disbanded after 2007; however their publications and principals remain applicable. In 2012, along with some very experienced colleagues, I published a paper on the advantages of a fully integrated security ecosystem - The Changing Face of Cybersecurity (ISACA Journal) that considers business risk first. Essentially this promoted the provision of a single focus for security issues; IT systems, Physical infrastructure and Personnel. This should now be extended to cover other related areas including key aspects of Personally Identifiable Information which is typically handled by the Legal Department; OH&S and the working environment – usually the domain of HR or Health and Safety; Payment Cards – Finance; and Political threat if they are operating in hostile regions is usually outsourced to specialist agencies. All represent a potential source of security risk to the organisation and should be managed consistently and effectively. The problem for the Executive however, is deciding where they spend their security dollar. They must
40 | Australian Cyber Security Magazine
consider these security risks alongside investment, market and regulatory risks. Developing and establishing a framework for the converged security model is difficult. Typically, the various security disciplines have different skill sets, different modus operandi and different threats to address. As a result, the security dollar often gets spent on fixing the last problem that occurred or the ‘issues’ identified by an auditor. These may not address the key business risks. Technology relevant security threats continue to emerge. Having established approaches to securing a Cloud environment with massive data stores and transient servers and applications, we now have another field approaching the security ecosystem like a steam train. Integrated Operational Technology (OT) and ‘Internet of Things (IoT)’ components within the corporate infrastructure. We have aged Building Management Systems (BMS) with unprotected control systems enabling unfettered access to corporate networks and even sensitive operational networks beyond the corporate environment. Similarly, IoT devices having greater autonomous intelligence than OT systems are being plugged into the operational infrastructure in increasing numbers. These are now gathering large amounts of potentially sensitive information to be stored in data lakes and analysed by artificial intelligence (AI) systems. The current separation of security duties across all these environments is not sustainable and is comparable to a balloon in a box of pins; at some point the security bubble will burst. The role of the Security Manager must now be to understand the growing number of threats to the organisation’s operational infrastructure and ensure the risks to the business success are managed effectively. Being skilled in one discipline - IT Security, Physical Security or OH&S is no longer viable. The new breed of Security
