The Responsibilities of an Information Security Leader
By Joshua Cloud, Director of Information Security, NFI Industries
As information security leaders, we believe it’s our duty to ensure that our organizations understand the risks associated with technical decisions, provide the best guidance to mitigate these risks, and be the agents of change toward a more secure future. People depend on us to have a strong understanding of the security space, and for us to maintain our own personal integrity in the board room, for our employees, and for our customers. We need to remember to focus on the “must-haves”, identify new risks due to the changes in the business, leverage the latest technologies, and be honest and ethical even when no one is looking.
The modern user wants the freedom to be able to work from anywhere in the world, on any device, and, often, on platforms of their choosing. Mobile device management software and containerization capabilities are an absolute must-have to help organizations maintain some semblance of control over their data on these devices. When configured properly, this software can greatly reduce the likelihood of any compromise of information confidentiality in the event of a device being stolen/lost or an employee leaving the organization. It’s important to understand the impact of such an event to right-size your organizations investment on these tools.
Multi-factor authentication (MFA) is an excellent security tool to help reduce the impact of compromised credentials. However, these systems often create additional and sometimes excessive friction to the normal login process. As a result of this friction, widespread adoption in organizations is often challenging. A possible alternative to across-the-board MFA is to implement some form of adaptive step-up authentication. This approach will challenge the user for additional factors of authentication only when certain higher risk functions are being attempted. In fact, some banks are already doing this. When you attempt to initiate a large money transfer, the bank may require you to type in a one-time SMS-delivered passcode to further confirm your identity. This is less friction over-all, and still provides a significant reduction to risk.
IoT device proliferation and their notoriously immature patch and vulnerability management practices present a somewhat unique challenge. These devices are often in very close proximity to our most prized data, yet there is little confidence the endpoints themselves are not littered with exploitable vulnerabilities and/ or vehicles to pivot from which are accessible by someone in the product’s supply chain. Isolating these devices from both internal and external connectivity with the strictest of technical controls, such as firewall policies and access-control lists, is an appropriate and recommended first step to mitigate most of the risk. Innovative, connected security technologies which use machine-learning to learn and analyze behavior real-time are also good to layer on to ensure your security professionals can be made aware when something is amiss.
Our responsibilities as information security leaders don’t end at the technical stack. For many of us, we are in regulated environments which help drive certain aspects of our programs. We often help enforce less popular policies and controls designed to ensure compliance and alignment with executive leadership. We have tough conversations with the board when gaps are discovered. We’re trusted with access to very sensitive information where confidentiality is imperative. Many of us use tools today which collect massive amounts of data on our employees and customers as well. It’s critical that we maintain the absolute highest standards of ethics for ourselves, our staff, and our peers. In this modern world of big data and an increased reliance on digital engagement, we need to maintain focus on confidentiality, integrity, and availability—for both our information and ourselves.