Information Security Objectives: 8 Tips for CISOs

What Are the Fundamentals of Information Security?

The primary information security objective is to protect information assets against threats and vulnerabilities, to which the organization’s attack surface may be exposed. Taken together, threats and vulnerabilities constitute information risk. Ensuring that security objectives are met and risk mitigated will benefit an organization by contributing to:

• Business continuity
• Operational Efficiency
• Cost Effectiveness

An adequate cybersecurity program should not only secure internal data that an enterprise considers confidential and/or proprietary, it should also protect the personally identifiable information (PII) of its customers. An example of PII is a consumer’s social security number, driver’s license number, even his or her email address. CISOs are hard pressed to implement cybersecurity measures that will ensure the information that they process is secure, and adheres to the standard known as the CIA triad: Confidentiality – ensuring privacy is a crucial data security objective. Confidentiality involves restricting data only to those who need access to it. Encryption and setting passwords are ways to ensure confidentiality security measures are met. Integrity – making sure that the data in an organization’s possession is accurate, reliable and secured against unauthorized changes, tampering, destruction or loss.  Availability – private information is available for anyone who is authorized to access it, such as when a customer requests to view his or her profile. CISOs should ensure that an organization achieves the fundamental objectives of information security, which also includes nonrepudiation. In enforcing nonrepudiation, a business will have the ability to prove that a transaction or communication occurred. Both parties sending and/or receiving information agree that an exchange took place. Digital certificates with cryptography can serve as official proof.

Eight Tips to Ensure Information Security Objectives Are Met

1. Outline an Information Security Strategy

An effective strategy will make a business case about implementing an information security program. A description of security objectives will help to identify an organization’s security function. Taken together, security functions should produce clear beneficial outcomes that align with key business objectives, e.g. a return on investment (ROI) on risk reduction. Once your security function is outlined, measure its impact across the business. Compile security requirements and get to know what people, processes and infrastructure are needed to fulfill them.

2. Define Security Objectives Early On

The earlier you set security controls and restraints, the better off you will be at preventing a data breach. Planning security objectives will drive all future cybersecurity activities, including decision making. An example of a security objective is: to provide a secure, reliable cloud stack storage organization-wide and to authorized third parties with the assurance that the platform is appropriate to process sensitive information. Use plain, concise and logical language when writing your information security objectives.

3. Measure Information Security Function Outcomes

Develop metrics to set cybersecurity maturity level baselines, and to measure information security management system (ISMS) capabilities against future state capabilities as defined in an organization’s business requirements. Metrics will help CISOs to define their cybersecurity strategies and determine an enterprise’s acceptable level of information security risk – with likelihood and impact considered. Use an established, global standard such as ISO 27001 to establish quality metrics, e.g. system uptime with a target availability of 99.5%. Set key performance indicators (KPIs) to validate that your cybersecurity objectives are being met.

4. Conduct a Cost Analysis

Estimate planned cost and potential risk costs. For example, a CISO will emphasize operational costs with an understanding of the potential cost tied to disastrous events. Factor in security objective costs, such as asset protection, forensics investigation and/or litigation.

5. Define Your Informational Security Policy

Implementing a security policy will clearly identify the information assets and systems that your organization must protect. Policy should apply to physical, personnel, administrative and network security. Information security policy will set rules and expectations for users to protect information assets and systems. It also provides a foundation for security planning pertaining to systems and applications.

6. Secure the Four Layers of Information Security

The four layers represent the way information flows within and between systems. Securing each of the four layers include: setting application, infrastructure and physical access with restrictions and ensuring data in motion is protected. One method to secure the four layers is encryption.

7. Implement an ISMS

An ISMS includes the documents, people, processes and technology that ensure information security occurs within an organization. Implementing an ISMS is time-consuming and requires input and participation from the entire organization. Fortunately, participation from senior leaders and other key personnel requires only a working knowledge of cybersecurity, not subject matter expertise. Innovations in threat modeling by ThreatModeler, for example, allows for out-of-the-box building of architecture process flow diagrams. While technical subject matter experts leverage automated threat modeling to build architecture representations, CISOs, stakeholders and board members benefit from ThreatModeler’s reports to inform financial or strategic decisions. All involved personnel will work to manage, monitor and continually improve upon the ISMS. Be prepared to evaluate the results of your ISMS implementation. In addition to creating documentation, building an ISMS involves:

• Conducting gap analysis
• Scoping the ISMS
• Performing a risk assessment
• Selecting adequate controls (for Statement of Applicability)
• Arranging a risk treatment plan
• Creating a training and staff awareness program
• Implementing, managing and continually reviewing the ISMS

Know Your Information Security Capability and Outcomes

Your security metrics will help your organization to articulate its security capability, from which to establish ways to improve upon an organization’s ISMS. Clearly understand any constraints such as regulations set forth by legislation. Maintain documentation that clearly conveys outcomes such as data breach events (or lack thereof). Know the cost of each outcome, e.g. cost of litigations resulting in a cyberattack. To measure an enterprise’s reputation, consider conducting customer satisfaction surveys. Current capability and outcome will guide future information security strategies.

Enlist the Industry’s Leading Threat Modeling Tool to Mitigate Security Risk

ThreatModeler Cloud Edition enables users with little-to-no subject matter expertise to build threat models which describe cloud infrastructure security threats. Using automation, ThreatModeler can address potential threats in various cloud environments, including AWS and Microsoft Cloud Azure. Gain an understanding of your organization’s entire attack surface to manage cybersecurity risk. To learn more about how ThreatModeler™ can help your organization build a scalable threat modeling process, book a demo to speak to a ThreatModeler expert today.

10 FAQs About Security Objectives for CISO’s