My thanks go to Rafal Los for inviting me to guest on his fantastic blog Follow The White Rabbit on 30th June! I always look forward to reading new posts on FTWR, so actually being on it was a great honour! I work for an acquiring bank, and whilst I am particularly interested in the security of card payments, infosec is the same everywhere. Everyone has to "do" compliance in one way or another, and we all live in a very challenging socio-economic environment... I note with pleasure that the debate is starting to move towards risk management, so here's my take on it. I hope you find my ramblings of use...
We're all in it together...
Increasingly, I am being asked by my customers to help with their customers' awareness of the threats that we are all trying to fight. In the UK, when cardholder information is compromised, consumers are well protected by the current legislation and regulations, and they are all aware of this.
However, when their identity gets stolen, it's a whole different and personal matter: they will immediately hold their service providers accountable for the personal information that has been entrusted to them and they have immediate power to communicate their views through all the social networks they belong to.
Because consumers will demand that organisations protect their personal data, businesses will more easily come to understand and appreciate the long-term business value of information protection rather than viewing it only in terms of compliance.
To gain understanding and trust, businesses must move away from compliance to promote how they safeguard the personal information of their customers so investment in information security is driven by business reality. They must also help customers understand how they can help themselves in this process.
In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise's risk appetite and tolerance thresholds. Companies must therefore attempt to quantify, control, and mitigate risks that previously were not even considered.
Lesson 1. Understand your risk profile
A lot of progress has been made in mapping regulations (e.g. Data Protection) to risk management standards, e.g. ISO 270001, and data security controls, e.g. PCI DSS, to establish standards and best practices for mapping regulations to standard controls.
Threat scenario modelling and information asset risk categorisation are good tools to use in this space. IT and operational controls based on compliance requirements alone are no longer sufficient and businesses must look at their people, their processes as well as the technologies that can help them.
Lesson 2. Make risk management your objective, compliance will come naturally
I have always believed that PCI DSS represents a good set of basic information security controls that can be used in the wider information security space (i.e. not just cardholder information).
I also believe that PCI DSS brings a quantitative dimension to qualitative frameworks such as ISO 27001. If businesses limit their focus to compliance alone instead of the broader risk management picture, they are likely to make the same (expensive) mistakes time and time again and, as a result, find themselves reacting to crises.
Lesson 3. Avoid quick fixes and silos (i.e. don't panic!)
Companies that have successful risk management strategies have replaced quick fix discrete compliance initiatives with solutions that facilitates the handling of short-term needs while providing a foundation for an integrated long-term solution that is flexible enough to support multiple regulations and new functionalities.
I firmly believe that this can only be successful with 1) taking it one step at a time and 2) automation using solutions that are able to support the predefined mapping of multiple regulations. I classify such solutions in the broad category of Governance, Risk and Compliance (GRC) tools.
Lesson 4. Automate
The major source of failure of information security initiatives is the inability for organisations to move activities to a business-as-usual operational framework.
Businesses should look for GRC solutions that are easy to deploy, requires no customisation and are simple to upgrade. By taking such an approach, organisations will be able to extend the same automated, risk-based approach beyond PCI DSS to other regulations, including the Data Protection Act or Sarbanes-Oxley and other privacy requirements.
The new GRC solutions can help businesses move from reactive to proactive compliance that is based on real, as opposed to theoretical threats. A beneficial side effect is that compliance will be achieved in a much more cost-effective and efficient way, giving a much more effective competitive position in our increasingly regulated environment.
Lesson 5. Educate
I have always been an advocate of education and awareness in this field, and organisations will have to ensure that training and education of their own staff and customers should be firmly on the agenda as well as the implementation of sound security policies and practices.
As we have seen earlier in this article, a lot could be achieved by using simple proactive measures. However, it is true that more collaboration in the industry and government as a whole is needed in this space.
From compliance to risk management...
I believe that good governance benefits small and large companies alike as the principles of effective governance remain the same as companies get bigger. It is true, however, that smaller organisations may have difficulties implementing some of the practices presented earlier because of their size and economic status.
For these reasons, smaller companies may need more time and additional resources, including education and training, to make meaningful advances in effective corporate governance. It is, however, in their self-interest to begin to do so and we at Barclaycard are committed to providing help and advice.
Finally, the 2011 Verizon DBIR concluded that being prepared remains the best defense against security breaches. For the most part, as we have seen, organisations still remain slow in detecting and responding to incidents. Nearly two-thirds of breaches continue to be uncovered by external parties and then only after a considerable amount of time.
As an example, we know that most organisations that have suffered a breach will have evidence of it in their security logs, but these often get overlooked due to a lack of staff, tools or processes.
My parting advice: don't spend £100 protecting a £1 asset, know your risk, fix the basics first, and be prepared...
Neira Jones, Head of Payment Security, Barclaycard, Global Payment Acceptance - firstname.lastname@example.org
Cross-posted from Following the White Rabbit