Written by Ibraheem Khan
My career in Information Security Consulting began because
of 3 reasons. The first, working with different businesses; learning and
understanding how businesses in all sorts of industries operate is fascinating.
What does the business specialise in, and what are their most critical assets?
Secondly, being able to use the knowledge and skills I have acquired over the
years to assist companies with their IT security posture. Thirdly, I really
love the travel – a welcome bonus of the job!
Since becoming a consultant I’ve enjoyed other benefits too,
such as client satisfaction; receiving positive feedback from clients,
particularly from highly qualified and respected individuals, based on the work
I undertook is very rewarding.
It’s satisfying recognising the difference I’ve made to an
organisation’s information security posture, so observing cultural change
through information security awareness and training is another benefit of my role.
As time goes on without governance and risk management, organisations
generally implement projects and conduct business as usual (BAU) activities
through bad habits (even though they have the best of intentions) such as not
conducting due diligence on a third party, prior to using their systems or sharing data. Observing
the smallest of changes such as employees locking their screens when they leave
their desks or wearing ID passes within company premises, to asking for
assistance due to a supplier onboarding, is encouraging to see.
The
challenges I’ve observed
Working for various clients has enabled me to take note of
challenges most organisations face; regardless of the industry, I have noticed these
common themes:
Challenge one: managing the information security risk
due to increased connectivity, use of new systems/applications, and operational
changes. A slow adoption of information security and fast development/business
growth in a short timeframe.
Challenge two: an increase of risk due to the vast
amount of neglected legacy systems and applications which are now embedded in
an organisation as critical assets without appropriate operation procedures or
plans to migrate to a new version.
Challenge three: profit outweighing security
controls. The point of a security control is to protect an asset. However, it
is not unusual for some departments to experience the thought process that
implementing a security control will result in a longer timeframe to reach the
end goal, thus losing out on potential business or profits, leading to the
idea: not implementing a control is actually better for the business.
This ideology is rather dangerous as, without the correct level of security
control protecting an organisation’s most valuable assets, this can result in
the demise of the organisation.
Challenge four: lack of knowledge around the
architecture of an organisation’s network. Most organisations do not have an up-to-date
network diagram or a diagram highlighting the security architecture of the
estate. Without having current knowledge on the interconnectivity between
network, systems, and applications, the chances of being able to identify
potential vulnerabilities or understand project scope is greatly reduced.
Challenge five: lack of management around information
security in third party suppliers; third party suppliers’ integration and
business relationships can be complex, interdependent, sometimes international
and evolving. This, with the lack of due diligence around how assets are
protected and what assets are provided to a supplier, combined with total
reliance on third-party suppliers, has led to more information exchange and
consequently an increase in information security risk.
Challenge six: information security culture; changing
the culture within fast paced organisations is an ongoing challenge. Most
organisations want quick business changes and quick access to systems,
applications, and other forms of information assets. Adopting a new culture
which may impact and disrupt the current BAU processes may be considered as a
hinderance resulting in rejection.
Overcoming
the challenges
When clients ask me to advise on the above challenges, I
recommend the following:
1. Develop an information security culture, providing
knowledge and awareness to help people understand issues and allow them to take
ownership of information security, by:
- Encouraging employees to be security conscious at home and work
- Improving employee engagement to manage risk through understanding the potential impact of security incidents or attacks
- Encouraging the reporting of suspicious activities, reducing misuse of business information or systems, and improving incident response timed
2. Develop appropriate information security training and awareness. Ongoing training and relevant information security awareness will provide employees with the knowledge needed to:
- Reduce risk of security breaches or incidents as employees think and act in a more security conscious way
- Increase organisational effectiveness through adherence to policy
- Improve internal communications on information security
3. Understand the confidentiality, integrity and availability of your information assets. Knowing the CIA of your assets allows you to assess where vulnerabilities are and how best to minimise the extent of their exposure, by:
- Identifying key assets that need protecting to minimise your potential attack vectors
- Identifying how information is accessed, processed, stored and transferred
4. Take a risk-based approach to understand and manage the risk exposure of your information assets. Taking a risk-based approach will allow you to:
- Manage your information security exposure through informed risk-based decision making across your systems, organisation and assets
- Using risk prioritisation, allocate resources efficiently and effectively across your organisation
5. Have governance for information security within your organisation. Effective governance enables organisations to demonstrate commitment to information security, by:
- Delivering strategic direction though policy, procedures and guidelines to manage information security consistently across the organisation
- Allocating resources and funds to maximise and mitigate information security risk appropriately
- Influencing information security culture through awareness and positivity
6. Work with third-party suppliers to reduce risk
- Conduct relevant due diligence on third party suppliers and identify the purpose of each asset and how it shall be managed once in the hands of a supplier
- Understand the information security risks that a third party supplier introduce from procurement through to BAU and how to appropriately manage them
7. Ensure information security measures are applied through the life of your assets and organisational changes by:
- Ensuring all assets are owned, monitored and identified
- Identifying poorly managed assets that may impact the organisation’s BAU operations
8. Prepare for and manage information security incidents. Having an information security incident response capability will allow you to minimise the effects of incidents.
- Have adequate threat intelligence to respond appropriately to information security incidents
- Include learning from events or incidents for improvement of plans
- Conduct incident tests to identify areas for improvement and capitalise on them
Summary
Being an Information Security Consultant is a challenging
but engaging role. This article summarises why it’s thoroughly enjoyable, some
of the common challenges I’ve seen and how to start addressing them. I have been able to do what I enjoy on a day to day
basis, working and meeting some amazing businesses and
clients.
Who knows, I may have the opportunity to work with you one
day.