Updating Internal Processes
There are multiple aspects of improvements, which can be brought to an internal process:
Organizations continue to experience cyberthreats that hold the potential to disrupt business operations and service to customers. A vast majority of those threats can go undetected, or they are detected too late for an organization to avoid exposure and the associated risk.
IMPORTANT MEASURES
In developing internal cybersecurity processes, it is not enough to prepare for the threats one believes one knows. One should also work to prepare for unknown threats. The hackers will continue to rise and one can find extreme sophistication in the tools and techniques they use to hack and achieve their goals. An organization needs to determine its crown jewels and the investment required to protect them. It is important not to prioritize the crown jewels based on a business continuity plan, but on considered risks.
Crown jewels can reside virtually anywhere - in the cloud, mobile or with business partners. An organization shall have a cyber threat intelligence (CTI) capability that will help in identifying, detecting and responding to threats. A proactive approach is required to seek new sources of information and new ways to interact with peers to identify trends and tactics. It is necessary to monitor and review logs and trails to gain insight and detect threats early. Also, it is imperative to make security awareness a priority - an awareness of threats, risks, challenges and solutions within every department inside your organization and within every partner organization. Besides, it is also necessary to explain the security challenges and rules in a language that employees understand. Awareness shall be more interactive, on-going and makes threats seem more concrete.
Organizations know their critical assets that does not make them secure. Vulnerabilities are known to a hacker and known to the organization they target. Patch holes, focusing on critical holes as well as holes that might not seem critical but that are known.
Pawan advises that organizations need to be prepared for unavoidable: “Most organizations have a security incident management processes in place. But few have tested these processes. One must know how departments will work together during a cyberattack. It is important to know how you will engage regulators, partners and observers. Simulate incidents, bring in a
Says Sourabh: “I feel that ownership of improving internal processes should go beyond the CISO or the security team and its onus needs be taken by other stakeholders of the organization as well. Documentation needs to be detailed. Process documentation with detailing on security guidelines, procedures, etc. is a good beginning.”
IMPROVEMENT PROCESS
T h e r e a r e mul t i p l e a s p e c t s o f improvements, which can be brought to an internal process. When we look at a process to identify how we can improve upon the throughput, the journey starts with the following considerations:
The objective of the process and its impact on business metrics and value chain.
Ensuring what is the purpose of the process and identifying how critical it is in the value creation chain, who are the stakeholders which the process impacts, and which business metrics are impacted/controlled by the process performance.
This exercise itself at times leads to dropping a processor identifying the need to have a process to take care of the steps not being tracked.
Anjana Rao suggests s o me improvements in the process, checking the process performance, whether the process is delivering the desired outcome, and analyzing the variations in the outcome if any. The analysis of variation provides an insight into the opportunity for improvements and if the metrics need to be revisited, It will lead to identifying the avenues to optimize the process and reviewing the value stream maps. She says value stream maps always provide insight into eliminating wait time - owing to handshakes, reduction in TATs and capacity creation, automation of repetitive tasks, which means lower cost, more scalability, waste identification, meaning lowering the cost, optimal utilization of allocated resources, elimination of manual interventions, which will avoid repetitive tasks, risk mitigation and compliance to avoid operation losses and loss of repute,
ease of transaction, that is, simplifying processes, segregation of duties meaning workflow distribution, clear definition of process performance metrics, which is the unit of measure clearly defined with SLAs and reduce variations, which will drive consistency within and between processes.
Kiran points out that security is a moving target. He says it is important to impart principles of cyber hygiene to employees by imparting user training and measuring the efficacy of training and revisiting the internal policies like access management, vulnerability management, backup strategy, cyber crises response plan, security operations centre and having right KPIs. He also suggests getting covered under cyber insurance to safeguard against potential costly outcomes.
FOCUS ON SECURING CORE
Today there is this issue of information overload, which is creating blind spots that can prove fatal to an organization. There is, therefore, an urgent need to identify the organization’s crown jewels and focus on securing the core the most.
Kalpesh feels that it is necessary to realize that we cannot and should not grant every organization asset the same level of importance. He cites the example of food, which is the most important and essential commodity and which still is not stored in safe vaults. “Similarly, CISOs will have to evolve and identify which of their assets needs the most security. These assets will be the ones which if compromised can have a catastrophic impact on the organization and challenge the very survival. There is a need for the risk-based approach to security decisions, not the other way. Risk treatment includes risk elimination, mitigation, transfer, and acceptance every risk cannot be eliminated or mitigated if you must even remain competitive in the marketplace,” says he.
defined and agreed upon and there is a clear implementation path. This will not only help them get their basics right but also free the more experienced people to tackle critical challenges.”
With more automation, staff with lesser experience will be empowered to think outside the box. They will b e e nabl e d t o manage p r o c e s s e s and handle tasks like monitoring and managing process exceptions. Anjana Rao says: “Applying tools to perform root cause analysis and drive continuous process improvements will enable and provide access to standard operating procedures, which in turn will enable lesser tenured associates to take accurate decisions. In addition, there can be mentoring programs (`be my mentor programs’) that can empower lesser tenure associates for taking up complex situations. This is like identifying high potential within the lesser tenure staff to fill in for the senior associates.”
Cur r e n t l y , S OC is seeing an unprecedented increase in volumes of alerts that are generated by security tools. Kalpesh adds: “I believe there is a huge scope for RPA as the demand and supply gap for security resources is otherwise too wide. CISO teams must be battle-ready and hence, I believe every team member has an equally important role to play in securing organization assets.”
IDENTIFYING CROWN JEWELS
In ideal situations, once an organization’s crown jewels are identified, one needs to ensure that one has the best teams always monitoring them. Every organization asset is not critical hence new talent and upcoming leaders can be given those responsibilities to harness their skills and be battle-ready.
control, RASCI Matrix, cost-benefit analysis, etc.)”
Kalpesh says organizations must remember that no single tool in the world can protect their organizations from all threats out there. The important thing is to build a security culture in the organization, which will form the basis for a strong foundation. Eventually, the tools and processes one implements in the organization will have to be one that aligns one’s culture, priorities and skills availability. “A great security tool poorly configured is way worse than an average or even open-source tool configured optimally and where the teams have the skills to make use of every feature available in the tool. Productivity for security teams can be greatly enhanced by striking a balance between people, process, and technology,” says he.