Which factors are need for information security?

The average number of cyberincidents per year in industrial enterprises has increased significantly over the past few years. Our colleagues conducted a survey, speaking with employees of industrial enterprises from 17 countries around the world. They asked questions about cyberincidents and the attitude toward cyber risks. As a result, they were able to identify seven factors that significantly mitigate the outcomes of the incidents.

Availability of a specialized OT security department

Almost every industrial enterprise has an operational technology (OT) security team of some kind. However, often instead of creating and funding an OT security department, the job is assigned to IT security or even general IT departments. These departments do not always understand the specifics of the operational technologies enough to provide the necessary level of protection. To minimize both risks and consequences of incidents in industrial networks, an enterprise needs a well-resourced and appropriately qualified OT security team.

Clearly structured decision-making process

Often problems in an industrial enterprise arise due to organizational mistakes, when the management of security is divided between departments that are not related to each other. As a result, companies purchase security solutions that duplicate each other’s functions, visibility of the industrial process is becomes less than adequate, data collected from the endpoints and sensors is used inefficiently, and the implementation of new projects is delayed due to intricate approvals. This is all without mentioning the fact that the OT and cybersecurity departments are starting to compete for budgets.

Having a legacy infrastructure management strategy

Industrial cybersecurity (ICS) often uses equipment that was created before people had a rough idea of ​​what level of digitalization modern industry would come to. Therefore, it is necessary to be extremely careful in building a control system for an array of outdated industrial networks, programmable logic controllers, supervisory control and data acquisition (SCADA) systems, and other OT elements. They should all be inventoried and security specialists should regularly scan such equipment for critical vulnerabilities or failures resulting from wear and tear.

Introducing security solutions designed specifically for industrial environments

It is impossible to ensure the security of ICS environments using standard cybersecurity solutions. They will effectively cope with random general cyberattacks, but they will not detect threats specific to industrial process. Moreover, sometimes they can negatively affect the continuity of technological processes. To avoid this, you need solutions that were specifically designed for industrial environments.

Having an OT/IT convergence strategy with IIoT in mind

The increasing digitalization of industrial processes implies an increase in the level of integration between OT and IT environments. Key elements of this integration are the use of Industrial Internet of Things (IIoT) devices, public cloud services and IIoT gateways. All these elements often become a vulnerability through which attackers can reach industrial systems. It is not realistic to stop this process of digital evolution, therefore it is necessary to develop a plan to securely integrate operational and information technologies in advance.

Rapid incident response

One way or another, incidents are unlikely to be completely avoided. But when they do happen, it’s vital that the problem is identified and coped with as quickly as possible. The faster it is done, the less it will cost the company both financially and reputationally. Therefore, it is especially important for industrial enterprises to have mature rapid response rules and a team that is able to do it.

Taking staff training seriously

Lastly, you should not forget about the importance of security-centric behaviors of the company’s employees. If you want to minimize impacts of the security-related incidents, you probably need to train your staff in security basics and strictly monitor the compliance with internal regulations. One way or another, the human factor is behind the vast majority of incidents: someone used a compromised personal password, someone connected a phone to a computer behind an air gap, someone clicked on a link to malicious website and so on. People must clearly understand what can and cannot be done at an industrial enterprise, especially if it is a critical infrastructure facility.

You can find the complete results of our survey 7 Keys To Improving OT Security Outcomes: Kaspersky ICS Security Survey 2022 after completing a brief form.

A sampling of 80 (ISC)2 members surveyed by the Institute for Applied Network Security (IANS) found that the group scored very well on technical excellence, but were a bit behind the broader IANS sampling of 1,000 on organizational engagement.

While technical excellence focuses on specific security products and services deployed, organizational engagement refers to the processes in place at a company for how information security aligns with the business.

Stan Dolberg, chief research officer at IANS, and IANS CEO Phil Gardner, presented the findings during a session at the (ISC)2 Security Congress in Orlando last week.

Gardner added that organizational engagement will grow in importance as CISOs interact with more groups and divisions within an organization.

“We found that the rise of the dotted lines to the other parts of the organization was stunning,” says Gardner. “Some 80 percent of the (ISC)2 group do some type of reporting outside of IT, which compares to half of that with the general dataset.”

IANS breaks organizational engagement into seven factors. Here’s a list of the seven factors and how the (ISC)2 members fared compared to the broader group.

Factor 1: Gain Command of the Facts
By gaining command of the facts, the (ISC)2 members were rated on the way the CISO and team executed the following: identified the kinds of threat and risk data used; identified the threats and risks to those assets and processes; assessed the strength of controls against those risks; and achieved consensus with top management on those assessments.

In addition, IANS measures to what extent the CISO has linked that information to data from incidents the company experienced, and whether they have modeled that data and developed predictive models. IANS also examines if the company has validated those predictive models, and whether they have developed a planning tool that the CISO can use to help identify potential exposures in new business initiatives. 

Compared with the overall dataset of 1,000, the highest performing (ISC)2  respondents were lower on two of three of the criteria, particularly on building an outlook for the future around the risk profile.

Factor 2: Get Business Leaders to Own the Risk.
IANS says that the CISO organization exists to help top management manage information security risk. But the CISO organization can’t “own” all the risk.

New business initiatives create new exposures and getting business leaders to own those exposures and be accountable for them leads to more productive interaction and timely risk assessments than if the CISO was responsible for all the information security risks.

Here are a couple of ideas: Dolberg says while it’s not the norm, some organizations are now tying compensation to how a business unit performs on information security issues. The more business units take ownership of information security, the better. Companies are also running simulations of an information security event so the business staff can develop a broader understanding of the issues.

Relative to the overall dataset, the highest performing  (ISC)2respondents scored higher on three of the four criteria for getting the business to own risk, particularly on use of simulations to gain executive buy-in, and on setting clear risk stewardship policies.

Factor 3: Embed Information Security into Key Business Processes.
This factor looks at the extent to which the CISO and team have embedded information security risk assessments into the important processes that produce new applications, systems, products, market entries, dependencies on third parties for managed services or cloud deployments.

The (ISC)2 sampling did very well on vendor selection. Embedding security into vendor selection means providing the info sec information to the legal and purchasing departments so they know what questions to ask when signing on with a new vendor.  For the (ISC)2 sampling, if vendors want to sell to their organizations, infosec has to be an important part of the criteria.

Relative to the overall dataset, the highest performing (ISC)2  respondents scored lower on three of the four criteria for embedding infosec. However, they scored higher on embedding security into vendor selection.

Factor 4: Run Infosec Like a Business.
To have credibility with the corporate leadership, IANS found that it’s necessary to run the CISO organization like a business.

IANS evaluated the (ISC)2 members on budgeting, personnel management and project management. Not surprisingly, the (ISC)2 group did very well on project management and were basically on par with the other tasks.

The (ISC)2 members were able to demonstrate skilled and agile use of resources, including managing consultants and contractors. They also can propose, staff and execute projects on time and on budget.

Compared to the high performers in the overall dataset, the highest performing (ISC)2 respondents scored on par with the overall dataset on running information security like a business.

Factor Five: Develop a Technical and Business-capable Team.
On this factor, the (ISC)2 group scored lower than the overall dataset on the use of competency models built around technical, business and interpersonal skills, and somewhat lower on training managers on leadership.

IANS says the (ISC)2 group needs to better focus on developing a plan for building a team that can grow and represent the CISO, both on the scheduled projects and events that pop up unexpectedly.  

Factor Six: Communicate the Value of Information Security
Success in this area depends on how well the CISO communicates the value of information security to the business groups so that it get translated to the rest of the staff.

CISOs need to understand every aspect of the business. Based on the findings, its clear that the (ISC)2 sampling was able to describe security needs in very specific ways to business groups such as sales, software development and logistics.

The (ISC)2 group performed very well here, especially on communicating the value of infosec, and especially on stakeholder engagement.

Factor Seven: Organize for Success
Information security grew out of IT, but the way the function has evolved touches on much more than just IT. While it’s not a trend yet, more CISOs now also report to the risk, finance and legal departments. Some even have the ear of the CEO.

The strongest and most successful companies will have CISO organizations that have lines of communication with as many department and groups in the company as possible. The (ISC)2 sampling was on par with the rest of the dataset and even excelled in two areas: CISO dotted line reporting outside of technology and contact with senior executives.  

Related Content:

• What Smart Cities Can Teach Enterprises About Security
• 20 Questions Security Leaders Need To Ask About Analytics
• Avoiding The Blame Game For A Cyberattack

What is the need of information security?

What are 4 types of information security?

What are the 5 components of information security?

What are the 3 major key components of information security?