enterprisesecuritymag

Clear Focus Areas Required For Information Security

By Jan Billiet, Director IS Security & Risk Management, Philip Morris International

Jan Billiet, Director IS Security & Risk Management, Philip Morris International

"May you live in interesting times!" Today’s information security profession appears overburdened with the challenges brought by cloud computing, personal data protection,social networking, advanced persistent threats and all other things cyber. Maybe these are just the symptoms of our challenges. In any case I think their resolution is way beyond the reach of any one security technology or service alone.

Certain focus areas may be useful for information security organizations moving forward:

1.Information security must be simultaneously device, data and person centric.

Sustainable information security implementations–be it as frameworks, organization, processes, technologies or services – need to be designed and operated from the questions: where are our higher-risk knowledge workers, their computing devices and services, and the data they process, and what do we do about them? An information security team that only focuses on onesize-fits-all policies and awareness will be ineffective. Similarly, one exclusively focused on technical necessities such as software patch management, certificates and network security risks being blindsided by the intricacies of protecting unstructured data.

2. More than ever, information security is about intelligence:

Gathering, processing, sharing and acting upon intelligence, lots of it and faster. I mean not only the typical software vulnerability information fromchannels such as managed security service providers. Intelligence includes harvesting, normalizing and adding business context to many internal and external sources of information security data: configuration management systems, risk assessment databases, scanning tools, identity and access management systems and behavioral monitoring solutions to name a few. Several initiatives we have embarked on at Philip Morris International are essentially about making the security state and activity of things visible and actionable every day. Getting there involves iterations of standardization, centralization and automation as well as robust BI solutions and skills to make business sense of millions of records about security configuration settings, complex access permissions, control maturity levels and much more. Our stakeholders expect positive assurance about information security. The absence of virus outbreaks or audit findings within a proprietary network inspires only so much executive management confidence when cyber surveillance, industrial or commercial espionage and critical national infrastructure are persistent media and regulatory concerns. Best practices become the management standard: continuous control monitoring, daily KPIs, dynamic risk assessments, recurring benchmarks, security vulnerability testing across internet and mobile assets, rigorous due diligence at third-party service providers, and several other activities wrapped up into multi-level governance meetings and executive briefings.

3. Information security must contribute to IT and business results.

Necessary practices such as classification, segmentation, assessment and data mining can and should enable information security teams to contribute to productivity insights and initiatives, for example by rationalizing controls or curbing system and data sprawl. There is also no reason innovation, speed-to-market and collaboration should be notions foreign to our lexicon and competencies.

4.Our stakeholders expect positive assurance about information security.

The absence of virus outbreaks or audit findings within a proprietary network inspires only so much executive management confidence when cyber surveillance, industrial or commercial espionage and critical national infrastructure are persistent media and regulatory concerns. Best practices become the management standard: continuous control monitoring, daily KPIs, dynamic risk assessments, recurring benchmarks, security vulnerability testing across internet and mobile assets, rigorous due diligence at third-party service providers, cyber war gaming and several other activities wrapped up into multi-level governance meetings and executive briefings.