ATLANTA — One of the declarations made clear at ISSA International Conference 2018 was that basic, preexisting security measures are no longer adequate to protect advancing technology — companies must instead turn to innovative solutions to maintain security infrastructure.
One interesting idea: Take lessons from the Department of Defense (DoD) for corporate data security. Jeffrey Man, a senior infosec consultant at Online Business Systems, presented a session at ISSA International Conference 2018 where he provided concrete tips to taking the DoD’s approach — even for companies that scoff at the idea that they need this maximum-level cybersecurity.
Man certainly spoke from experience: During his more than 30 years in computer, network, and information security, he held various security research, management and product development roles with the NSA and the DoD, as well as private-sector enterprises.
Write things down
He advised that companies start with identifying what, exactly, makes their network insecure. Man cited a list of common vulnerabilities, including decentralized administration, lack of resources and no written corporate security policy that every employee — from CIO to admin — could follow.
“A lot of companies in the commercial world have never sat down and struggled with the question ‘What are our goals for security?'” Man said during his ISSA International Conference 2018 session, titled “Does DoD-Level Security Work in the Real World?”
Part of the DoD commitment to security begins with developing goals and strategies to protect data. What data is vulnerable? What data is most valuable? If you are responsible for protecting PII and consumer data, parse out how this data will remain confidential, secure and legitimate.
Man urged that companies consider technology only part of their security policy — outlining goals then choosing programs that support your company’s infrastructure, not the other way around.
“Information security starts with understanding what your goals are, your approach is, and then you start talking technology to pick the right tools and solutions,” Man said.
Use the DoD risk equation
The DoD, in an effort to create a simplistic method of assessing risk, created an equation to outline how to assess risk to data, intellectual property and personal information, Man said. The formula states that risk is a function of vulnerabilities and threats that must be offset by countermeasures or security.
“When you apply risk to a commercial company, you’re talking about making money, minimizing cost, and [protecting] corporate reputation,” Man said.
Analyze each portion of the equation separately, Man said. How is your company handling vulnerabilities? Monitoring existing and future threats? What countermeasures have worked in the past?
Every element of the risk equation has a cost, and companies have to analyze where their IT budgets are going — and how effective those investments are. Trying to secure data using security systems that seek to eliminate vulnerabilities without stacking up appropriate countermeasures, for instance, creates weaknesses in security, Man said.
While security-in-depth is not a new idea, Man told the audience of ISSA International Conference 2018 that layers of protection to security is a DoD-centric approach most companies can implement very effectively.
“If you are focused, you start to protect information in layers and depth — not necessarily on just a technical level,” Man said.
Jeffrey Mansenior infosec consultant, Online Business Systems
The DoD layers consisted of both technical and “perimeter” security. Alongside data security technology, the DoD also implemented a rigorous perimeter security system consisting of alerts, employee education and implementing what Man called a “culture of security.”
It’s important to make employees understand that what they do matters when it comes to protecting the security goals of the organization. While transparency and security don’t often go hand in hand, corporate execs need to maintain a company-wide understanding of security measures, he said.
“Everyone in the DoD understood what all the layers were, understood why they were there and important and why they needed to follow the rules,” Man said.
“They knew there was no taking shortcuts because that would cause a weakness and create a vulnerability that might someday get exploited.”
Man urged execs to not treat security as a one-time investment of energy, time and money, but instead to create an ongoing, systematic approach that changes with industry requirements, federal legislation and evolving security breaches and risks.
“Security is a verb,” Man said. “It’s something you do constantly.”
This lifecycle begins by considering the goals of your company and assessing where you are in the process, Man said, and urged the audience to adhere to the DoD’s first principal: “Write it down” to document the company’s privacy and security strategy. This leads to easier evaluation and the ability to make targeted changes.
“There are [security measures] in the DoD that worked, that were learned over generations of trial and error and failure, and can apply to the whole private corporation,” Man said.