Businesses creating a digital experience for their customers have a lot of things to worry about. Will an app bring in enough revenue to cover its cost? Will it get out the door in time to beat competitors, or at least deliver a unique value proposition? What technologies should be used and how will that impact scalability and reliability? On top of all this, there is a constant stream of news about other companies and even government agencies, some of them very big and well-funded, falling prey to cyber criminals. Even for those in the information security profession, keeping up with the latest threats, vulnerabilities and defenses is an uphill battle. How can someone making their first foray into these issues prioritize the information security risks they actually need to worry about—and do it without breaking the bank?

Information versus Information Technology

A critical element of managing information security risk is to understand that it does not just apply to information technology (“IT”). Information takes many forms, in general representing any transfer of meaning from one place to another. In our modern Information Age, we readily associate information with computing and electronics. But cryptography, for example, can be traced back to the ancient Romans (the Caesar Cipher), Spartans (the Scytale), Indians (Mlecchita Vikalpa) and Jews (the Atbash Cipher). Even nature has many forms of information totally independent from humans.

What this means is that information security is not an “IT problem” nor an “engineering problem.” It requires the participation of the entire business to protect information wherever and however it is stored, processed or transmitted. Paper documents, though not as easy to mistakenly send or be stolen, must be protected as well (and they are inherently difficult to track). Perhaps the biggest risk to any organization is the individuals that have been granted access to sensitive systems and information. How do you protect them and the information in their heads, while ensuring they don’t become a chink in your armor?

Still, IT remains the major focus of information-related risk. Ginni Rometty, IBM Corp.’s Chairman, President and CEO has been quoted as saying that “Cyber crime is the greatest threat to every company in the world.” Over $2.7B in cyber-related losses were reported to the FBI in 2018. Certainly what we read in the news seems to support the belief that IT security is a problem demanding all the attention we can give it.

IT security can be broken up into three general areas: application security, system security and network security. These can be thought of as layers in the overall IT picture, sandwiched in between the physical world of papers, circuits and wires and the people who use technology to store, process and exchange information.

Users of Technology
Applications
Systems and Devices
Network Communications
Physical World

 

Application security is concerned with the procurement or development of software applications. This means ensuring they are built and deployed in a safe and secure way, are continually monitored for bugs that might create security issues and are not unnecessarily exposed to people who might do them harm. If your business is one that develops a software application for use by your clients, a large share of your attention is likely to be allocated here. Writing secure software and keeping it secure over time is a task that will continue for as long as that software is in operation.

Similarly, system security encompasses how devices such as servers, laptops, desktops, tablets, phones and increasingly other “things” (as in the “Internet of Things”) are configured, deployed and monitored. This can be considered a “blocking and tackling” element of IT security. These systems are the foundation upon which your entire IT security (and, to an extent, information security) strategy rests. Configuring and maintaining them to ensure their security in the face of new threats and vulnerabilities requires a process-oriented approach and dedicated resources.

Network security is primarily concerned with how information moves from one system to another and how to ensure that it isn’t stolen or changed along the way. To an extent, this will be aided by an appropriate selection of systems, applications and development libraries and frameworks that support your needs. However, most of these will require you to choose from a number of options for how to encrypt traffic, what traffic to permit or deny, or how to verify the identity of the other end of a communication. It isn’t usually a safe assumption that the “out of the box” default settings will be appropriate for your environment.

Information Security and the CIA Model

Information security is a broad, complex and ever-changing field. Still, some basic principles have existed for decades, forming the basis of any information security strategy. These are: confidentiality, integrity and availability. Understanding these concepts and the ways they can impact the information you’re protecting can help you establish a foundation on which to build your information security program.

A widely used security standard is the CIA model. This is explained as a triangle, as situations may require trade-offs and compromises in order to achieve a desired outcome. For example, the need to keep specific information confidential and prevent modification can conflict with the need to make it available to the right people.

Confidentiality means making sure that only the appropriate people can see information. Whether it’s because the information is personally private, a trade secret, is regulated or would just be embarrassing if the wrong people saw it, you might need to keep it a secret. The primary methods of ensuring confidentiality are access control and cryptography. Access control consists of authentication (verifying the identity of a user) and authorization (making sure they’re allowed to perform an action). Cryptography consists of hashing (converting text in a one-directional manner to a form that protects it from disclosure) and encryption (protecting it in a way that can be reversed, or decrypted). In many situations, confidentiality is the top concern for information security professionals, but it depends greatly on the business and systems under consideration.

Integrity means making sure that information is not inappropriately changed. It is widely held that bad information is worse than no information. This is because bad information can mask issues that need to be resolved, and cause the misallocation of attention and resources or create other issues. A good example is a bank account balance. There are situations under which it can be changed, but it’s critical to make sure that those are the only situations where it changes and that those occasions are tightly controlled and monitored. Failure to do so would create a crisis of confidence in the entire bank (or beyond) and require inspection of historical balances to determine which balances were valid and when. Conversely, a bank whose balances were entirely unavailable or all reset to zero might immediately recognize the issue and restore from a recent backup. Still a bad day, to be sure, but a marked improvement. Access control and cryptography are, again, the primary methods of ensuring integrity, either by preventing changes to the data or making it obvious when this has happened.

From a non-security perspective, the availability of the information is often the primary concern. When a business application becomes unavailable, processes are disrupted, revenue can be lost and productivity plummets. In certain sectors, such as a critical infrastructure like the electrical grid, failure of availability in a crucial system can have disastrous consequences. It is not necessarily a short-term consequence, either. In the case of ransomware—malicious software that infects and locks up a system until payment is delivered to the attacker—the outage could be prolonged or even permanent. The primary methods of ensuring availability are through redundancy, resilience and backing up data.

Redundancy means having spare capacity–as isolated from the primary systems as possible–with the ability to take over in the case of a failure. Examples include a backup internet or power connection, or keeping identical systems online at a secondary site. Resilience means being prepared to respond to incidents and bring systems back online as quickly as possible. While this doesn’t eliminate the availability concern, it reduces the potential negative impact. Backing up data ensures that if it can’t be retrieved from its primary storage location, maybe due to a hardware failure or accidental deletion, there is a second copy that can be restored.

A critical distinction here is between replication and a backup. Many infrastructure providers automatically replicate data between systems, or even data centers, on their customers’ behalf. This is great in the case of a failure of the hardware or connectivity at the primary site. However, it means that if a logical error, such as a software bug or user error, corrupts the primary copy, those errors will be faithfully copied over to the secondary location as well. Tape backups have historically been the trusted method of offline backups. These are portable cartridges (think VHS and cassettes, but much higher capacity) that can be taken off site, put in a vault and kept for long periods of time to allow for point-in-time recovery. However, they are not easy to implement for a business that primarily uses cloud services, due to the burden of copying data from the cloud to a local device on a regular basis. Other strategies may need to be considered.

The CIA model is not all-encompassing, though its simplicity makes it easy to remember and highly useful. However, there are other important considerations to acknowledge outside of the CIA model. The STRIDE model, published by Praerit Garg and Loren Kohnfelder at Microsoft, encompasses CIA but breaks the considerations out differently. Of particular note is the addition of the concepts of non-repudiation and authenticity.

Non-repudiation means ensuring that someone can’t go back on their word. If you signed a contract, you can’t say you didn’t later; you can’t “repudiate” your signature. The addition of authenticity makes explicit a component of integrity, ensuring that a piece of information really is what it says it is, that it is “authentic.” Though in practice these principles are often accomplished through non-technical means, digital signatures are used in contexts where automatic validation of authorship is required or where a very high level of assurance is needed on the part of the recipient. By generating a unique value (a hash) from a document and then having the author sign that hash with a private key, a recipient can verify both that the document has not been altered from its intended form and that the sender is in fact who it is purported to be.

Desired property Threat CIA Overlap
Authenticity Spoofing Integrity
Integrity Tampering Integrity
Non-repudiability Repudiation Integrity
Confidentiality Information disclosure Confidentiality
Availability Denial of Service Availability
Authorization Elevation of Privilege Confidentiality, Integrity

Security, Privacy & Compliance

Privacy, a related topic making just as many headlines, works hand in hand with security but is a slightly different concern. Compliance is also interrelated and often conflated. Put simply, security is the protection of information through risk management. Privacy is the protection of the individual rights of those about whom the information is concerned. Compliance is ensuring that the reality of day-to-day organizational life lives up to internal and external obligations. These three concepts are inextricably linked, but the fundamental approaches are different.

Privacy in the information age has encountered many challenges. The sheer volume and value of personal information produced about users of applications or networks, along with the highly detailed and intimate nature of much of it, is just too tempting for many organizations to pass up. This might be governments policing their citizens or spying on citizens of other countries, companies that have learned how to use metadata about their user bases to amplify revenue streams or criminals who have exploited the many weaknesses in evolving IT infrastructure for the purposes of identity theft and financial crimes.

Security plays a part in this by ensuring that organizations striving to protect the privacy of their stakeholders can do so with confidence. It is the impetus for technologies, such as end-to-end message encryption or web proxying technologies that let citizens evade monitoring by their own governments or hostile parties. This has created much controversy in many parts of the world and is far from a settled issue. Whether citizens should be able to protect information in a way that is completely and fundamentally immune to inspection by law enforcement has ignited countless heated debates in the halls of academia, government and industry.

Still, security simply enforces the will of the organization. If an organization does not take a stance that aligns with protecting private information, security will not affect that at best and can enable it at worst. For example, web content filters can protect internet-browsing users from malicious or objectionable material but they can also “break” encryption protocols and subject those same users to monitoring of their internet behavior. Learn more about HTTPs interception here and here.

Compliance has also been challenged to keep up with IT. Understanding what obligations you have for protecting information, aligning your business with those responsibilities and reporting potential or actual compromises can be complex. The consequences for noncompliance, whether imposed as a penalty or the result of a realized risk exposure, can be steep. Thus, ensuring compliance with all applicable requirements is an important task.

Security supports compliance in many ways. Considering non-compliance as another type of risk an organization must manage, security is the process of identifying the ways to control those risks. It’s important to note that this is not simply a matter of IT. Compliance, even when limited to the scope of information security, is a cross-functional and organization-wide concern.

By its nature, compliance plays catch up. Writing, approving and issuing new laws, standards, contracts and policies takes time. Technology is very often one step ahead and those who are best at writing these requirements are not always those with the strongest understanding of current and future technology trends. Thus, security and compliance occasionally find themselves in conflict. Businesses may find themselves forced to implement security measures that were considered best practice several years ago, but have been superseded by refined understandings or new technologies. The information security profession, as a whole, is very outspoken about aligning regulation with measures to meaningfully reduce risk. However, it can take time for these arguments to be heard and acted upon.

 

So you’re convinced that information security is something your business needs to take seriously—great! Now you find yourself confronted with more news articles, standards, recommendations and monsters under the bed than you can shake a stick at. This can seem overwhelming and trying to tackle everything that could go wrong would be. However, when approached in a logical way, you can help yourself work smarter instead of harder.

Construct a Strategy

The most important aspect of an information security program is to have a strategy to identify, assess and manage security risk. While there are many products, services and consultants that can serve as a component of your strategy, at the end of the day security is a process. Employing products to better manage risks, services to offload or complement your in-house capacity, or expert consultants to make sure you’re on the right track are extremely valuable to an overall plan. However, doing any of those things without first understanding your own risks and tolerances for them may spread your resources unnecessarily thin or cause you to misdirect them.

It can be easy to focus on the latest “hack of the day” as news cycles continue to be interspersed with the latest breaches, threats and doomsday predictions. These attention-grabbing issues tend to dominate public policy, as well as many of the products and services available in the security market. Yet for any given company, the specific profile of threats and risks that are likely to materialize, or have an impact if they do, could be very different. Information security professionals have learned that using Fear, Uncertainty and Doubt (FUD) to drive organizational investment priorities is not a winning strategy. Corporate leaders, investors and regulators have wised up to the need for data-driven decisions regarding information risk. When viewing information security risk as another type of enterprise risk that must be managed, they are likely to demand quantitative methods and metrics to justify soaring information security expenditures.

So what does this mean for someone starting and growing a small-to-medium business who’s worried about a cyber breach? It means starting with risk. Only then can intelligent decisions be made about which products, services and consultants to leverage (and when).

What’s at Stake

The first step in understanding where your biggest risks lie is to understand what it is that you’re protecting. Assets are things that are valued by your business and they might be tangible or intangible. You might be protecting things such as servers, desktops, applications or office space that contain confidential information, or are required for the operation of your business. Similarly, you probably want to protect the reputation and financial health of your company and shield it from legal liability. Assets come in many forms and their connections to information security vary. However, it is unlikely that many—if any—enterprise risks are not impacted by information security in some way.

A Business Impact Analysis (BIA) is often the first step in understanding the operational impacts an IT-related event could have on operations. A BIA enumerates the processes critical to the ongoing health and operating efficacy of the organization. Examples include the customer support queue, releasing new versions of software or shipping products to customers. For each of these critical processes, the systems upon which they rely are listed. Perhaps the office phone system is required for incoming support requests or a cloud hosting environment is necessary to maintain the production application.

Next, their relative levels of importance are assessed. This can be approached using two factors about each: the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO states how long the business can continue to operate in an acceptable, if diminished, state without a system functioning. For example, you might be able to tolerate a full eight hours without email (with some creative workarounds), but your production application absolutely cannot be down for more than 15 minutes.

The Recovery Point Objective (RPO) defines the amount of data you could lose before it is an all-out disaster. Using the examples above, if you can tolerate a day’s worth of lost email, perhaps nightly backups of that information are sufficient. On the other hand, if you’re writing an application handling real-time financial transactions, you might have a near-zero RPO and require real-time replication of data in addition to frequent backups to further minimize the chances of data loss. Armed with the RTO and RPO for the systems supporting critical business processes, you can begin to strategize and allocate resources accordingly.

Having considered the systems supporting critical processes, one must also consider the people involved in them. Not only must the risk of a person being unavailable be considered (whether temporarily or otherwise), but also that of an insider with malicious intent or that of a simple mistake being made. IT can often help mitigate these risks by building and configuring systems to minimize human error or make it difficult for someone to knowingly circumvent established processes without detection. However, non-IT considerations are paramount to any complete information security risk assessment.

Threats

After you understand what you’re protecting, you need to consider whom and what you’re protecting it from. Threats to information can be split into adversarial and non-adversarial threats.

Non-adversarial threats are unintentional or naturally-occurring events, such as an employee accidentally emailing something outside the company or a fire in your data center. These can do just as much damage as an adversarial threat and are deserving of just as much attention. However, they don’t always attract as much press because they are more mundane. They are also, at least in some cases, easier to mitigate because the vectors can be clearly explained and controls can be put in place to reduce (though perhaps not eliminate) them. For example, if you’re worried about the risk of an earthquake, you can make sure to use data centers that aren’t in earthquake-prone areas.

Adversarial threats, on the other hand, are intentional and malicious—someone trying to do something nefarious. Information security threats have evolved over the history of the internet. When the internet was a small and mostly-trusted ecosystem, malicious actors were rare or easy to identify. Causing a digital ruckus was more about having fun or making a point. This cavalier attitude extended into the years when the internet became a household phenomenon and real economic impacts started to be seen—for good and for bad.

Very quickly, criminals learned that they could make use of cyber means to accomplish many of the same things they might otherwise accomplish in the physical world. Even better (for them), they might be able to do it at a scale and speed not possible without the internet. Whether the goal is ideological or financial, cybercrime has become a highly organized enterprise. Generally, potential adversarial threats ask themselves one of the following five questions:

  1. How can we make a mess?
    These attackers wish simply to cause destruction for the sake of destruction or to prove that they can.
  2. How can we make news?
    These attackers wish to bring attention to an issue or embarrass a company.
  3. How can we make a point?
    These attackers wish to show that an organization is unprepared for a security incident or is mismanaged.
  4. How can we make a profit?
    These attackers wish to gain access to systems and information to extract money out of them or their owners.
  5. How can we gain an advantage?
    These attackers wish to gain access to systems and information so that they can use them for competitive or geopolitical purposes.

This list is certainly not exhaustive and actors might fall into multiple categories simultaneously. However, pairing it with the list of assets you’re protecting can be a good way to understand why someone would attack your systems—and maybe even how they’d go about it.

Vulnerabilities

Unless you’ve spent time working with IT and software, you might be asking ‘why aren’t systems simply built so that they aren’t subject to attack?’ We build bridges and skyscrapers that don’t fall down, medical devices that are reliably safe, airplanes with acceptable safety records, facilities that power our cities with nuclear fission and vehicles that send people into space. Why is it so hard to keep attackers out of IT systems?

While a complete answer to this question is beyond the scope of this article and perhaps is one that will never be fully resolved, a rough answer can be given as: cost and complexity. While bridges and buildings can be very complex, the methods for building them don’t change drastically all that often and attacking them requires the attacker to be in the same place as the target. In the medical, transportation and energy sectors, much of the R&D expense and time to market can be attributed to the strict methods required to prove that new technologies are safe. Further, very few organizations have the kind of resources NASA can allocate to a mission to space. Even in these sectors, where IT is concerned, security is not perfect.

IT systems are not only increasingly complex, they are constantly changing, highly interconnected, delivered at competitive consumer price-points (or free) and driven by competition to be the first to deliver the next disruptive and transformational technology to market. None of this justifies failures to take information security seriously or apply appropriate resources to assess and manage information security risk. However, the effort to do so is greater than it might seem from the outside.

When we speak of “vulnerabilities” in information systems, we’re really talking about human errors. These might be conceptual errors in the design of a system (or the decision to invent it in the first place) or they might be flaws in the implementation. In very few sectors is software written in a way that is backed by formal mathematical proofs of its correctness. When considering applications that may consist of millions of lines of code (for reference, the human genome consists of 3 billion base pairs, which you might equate to lines of code), the effort to do this is extremely high, especially since the codebase is a moving target.

More often, software is written and tested on an iterative basis. Tests consist of the failure conditions (and methods to test for them) that can be conceived of by the software authors themselves. Even with the best of intentions, this can be highly difficult. Scanning and testing tools are often used to help identify security issues as they’re written or before code is contributed back into a production code-base, but this is a very inexact science. It is not unusual for a developer to run such a tool on a code base and end up with thousands of potential security issues that are mostly false alarms.

On top of this, software often makes use of or interacts with many other components. Even the simplest applications might behave in unforeseen ways in certain circumstances. When these dependencies include code written by a third party—as they often do to a great extent—the effort to stay on top of vulnerabilities that have been discovered and patched can be large. The challenge of finding such vulnerabilities is greater than most organizations can afford, even when it might be challenging or impossible to get a fix back into the third-party codebase.

This might all sound dire and certainly the daily news would back up that conclusion. However, all hope is not lost. While writing perfect code is perhaps out of reach of most organizations, minimizing the impact of bad code on your organization is achievable with the right processes in place. It requires an intentional effort to build software as securely as possible and fix issues when they (inevitably) arise. Some common practices for doing this include:

  1. Encouraging software developers to maintain familiarity with common code security vulnerabilities and their mitigations. Resources such as the OWASP Top 10 List can help in this regard.
  2. Using appropriate automated tools to scan for security issues. While these are often noisy, appropriate configuration and baseline comparison can make the output tractable. Even better, tools that integrate security checks directly into the developer’s environment through IDE-plugins can provide real-time feedback during the development process.
    Building a software development lifecycle (SDLC) with appropriate separation of duties, accounting for security requirements and enabling fast remediation of identified vulnerabilities.
  3. Minimizing use of third-party code to the extent absolutely required, using only reputable repositories and ensuring all versions stay up-to-date. Even the most popular software can have security issues, sometimes in a dramatic fashion. Importing third-party code is not a set-it-and-forget-it proposition. This is known as patching and it applies to both operating systems and applications alike. Failing to do this can leave you wide open to both focused and opportunistic attackers.
  4. Working with appropriate service providers to conduct regular security assessments or code reviews. While these services can be expensive, having another set of expert eyes on your systems and applications is an extremely effective way to check your blind spots.

Assessing Risk

Faced with a long list of “bad things that could happen,” it’s critical to prioritize the things that require the most urgent attention so you can focus on placing resources where they can be the most effective. This can be especially challenging when it comes to cyber security because data to help you make these decisions is sparse and often of low quality. This is in contrast to mature disciplines such as investing where expectations of quantitative metrics with known error margins can be used to fine tune risk considerations.

While a number of organizations (for example: Verizon, Symantec or the FBI IC3) make reports available regarding the types of cyber attacks that are currently hitting organizations, the extent to which the data is statistically meaningful or applicable to any given organization varies widely. The only truly accurate barometer of the risks faced by an organization is the losses it has actually incurred. For a new business without historical data to draw on or the resources to exhaustively collect and analyze data on cyber events, this might not be possible. Many attempts have been made to establish the concept of Return on Investment for security controls but implementations differ greatly in their approaches and maturity.

It can be easy for security leaders or those to whom they are accountable to be biased by the information they’re seeing regarding potential threats or breaches of other organizations. Thus, even if it isn’t perfect, having a methodology for objectively assessing the relative priority of threats that require management is crucial. Two such methodologies are the NIST 800-30 “Guide to Conducting Risk Assessments” and the ISO 31000 “Risk Management” standard.

As with other disciplines where risk is assessed, information security risk can be broken down into likelihood and impact. Likelihood is the level of confidence that an event will occur within a given frequency. For example, you might be 100% confident of receiving a phishing email within any given 24-hour period, but only 50% confident that you will experience a tornado within the next 10 years. Likelihood is greatly affected by the specific circumstances of your environment and thus precision is challenging. Accordingly, it is common to use a qualitative scale such as “Very Low, Low, Moderate, High, Very High” to estimate the relative likelihood of threats where the exact frequencies are not known or knowable. Conditions that exacerbate or mitigate these risks can be listed and accounted for to help get a better sense of the true likelihood of the threats.

The impact of a specific risk is the extent of damage that the risk coming to fruition could have, regardless of mitigations that could reduce its likelihood. This might be monetary but also could be expressed in terms of reputational impact, personnel safety or indirect financial measures such as downtime or legal liability. Many security-related impacts are difficult to quantify in a purely monetary sense and for that reason qualitative methods are again often used.

In an ideal situation, one would combine the predictions of likelihood and impact to give estimates such as Annual Loss Expectancy (ALE) or Value at Risk (VaR). However, the inherent problems with data regarding cyber risks can make such numbers meaningless or misleading. It is thus common practice to develop a grid, such as the following, to combine qualitative likelihood and impact into an overall risk rating. From there, a conversation can be held regarding the level of risk that is acceptable (risk tolerance), or how to address the highest-level risks.

Impact    
Likelihood Very Low Low Moderate High Very High
Very High Very Low Low Moderate High Very High
High Very Low Low Moderate High Very High
Moderate Very Low Low Moderate Moderate High
Low Very Low Low Low Low Moderate
Very Low Very Low Very Low Very Low Low Low

Managing Risk

After deciding which risks require attention, you need a strategy for handling each. This is highly subject to the preferences and strategy of any given organization. However, risks are typically handled in one of four ways:

  1. Accept: Determine that the organization is okay proceeding without any additional mitigation. This can be a difficult decision to make, but might be the best alignment with overall strategy when there are no regulatory or compliance impacts and the risk is low.
  2. Remediate: The ideal situation is to take action to bring the risk down to an acceptable level if doing so is within the means and capabilities of the organization.
  3. Avoid: If the risk is of a scale or nature that simply cannot be accepted, then whatever organizational systems or processes that enable the risk to exist may need to be terminated.
  4. Transfer: Finally, risks with a high potential impact but low likelihood may simply be insured against. However, great care must be taken to understand the conditions and coverage of cyber-related insurance policies as they vary widely.

To this point, we’ve talked about how you can manage the risks to your organization by assessing your own systems and processes. However, no business exists in a vacuum. While current trends towards cloud services have perhaps amplified the risks that others can create for you, this is by no means a new concept. Whether it’s software libraries that you’re using in your code, communication and collaboration suites, data analysis tools, infrastructure hosting or any other outsider you trust with your data and reputation, the risk to your business created by third parties can be just as big as any internal concern.

The Service Provider Landscape

No two IT service providers are exactly the same and understanding each partner you engage with is critical to managing your information security risk. Some organizations might have highly mature and well thought-out security programs, be open to sharing whatever information you need to make your risk decision and serve as an ongoing trusted partner. Others might refuse to provide any information at all, adopting a take-it-or-leave-it stance on their service. Most fall somewhere in between. It is worth emphasizing that the popularity or cost of an application or service should not be assumed to have a strong correlation with its level of security.

Assessing third parties to determine how they impact your level of information security risk can be a time-consuming and challenging process, but there are tools to make it easier. The first and most common are attestations and certifications. These are statements by an outside auditor that has inspected the security and/or compliance of the service provider and issued a report or certificate. Thus, assuming the auditor to be neutral and trustworthy, the service provider can undergo the audit once and provide the report to all potential customers to satisfy their needs.

The reality is a bit more complex. To understand why, we must first talk about the difference between a certification and an attestation. Certifications are what most of us think of when we think of a service provider being reviewed. This is an inspection against an objective standard, like taking the exam for your driver’s license. Anyone holding the same certification can be assumed, within a certain margin of error, to have a similar level of risk because the criteria were the same (and auditors follow standard processes in their inspections). Thus, unless there are “exceptions” (that is, things the auditor found that were not in compliance—the questions you get wrong on the driving exam), simply having a certificate is all you need to know. This is the way ISO or PCI DSS certification works. However, unless required to, organizations might not undertake certifications because they must sacrifice some discretion in managing their own risks to do so.

Attestations, on the other hand, are a much more flexible tool. An attestation is an auditor’s verification that the statements of a service provider are accurate at a specific point in time, to the best of their ability to verify them. What the service provider’s statements are might vary widely but the truth of them can be relied upon to a much greater degree than without third-party verification.

Service Oriented Control (SOC) reports are a common attestation tool. These are backed to the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, but within that framework the adoption of a subset of the five principles and the way in which they are implemented are up to the service provider. While a SOC report goes a long way towards giving assurance about a service provider’s security stance, it should not be relied upon without actually reviewing the report. More detail on SOC reports is available from the AICPA.

The cloud computing paradigm has created a sea change in the way many organizations procure and operate IT services. The implications to your risk profile depend on your specific strategies. Full coverage of the impact of cloud services on security and compliance is the subject for another day (and much information can be found through various reputable sources such as the Cloud Security Alliance), however a couple of items are worth highlighting.

First, when engaging a cloud service provider, such as an email provider, customer relations management platform, file sharing service or application hosting environment, it is critical to understand that it is an ongoing partnership and the shared responsibility for security and compliance. You are giving up a degree of control and visibility in exchange for reducing your operational burden. However, using a cloud service does not absolve you of any accountability. You may be able to leverage the maturity and services of the cloud service provider to bolster your security strategy, but doing so blindly or depending entirely upon them is not a winning strategy. In fact, you may find yourself answering for their actions after the fact if they make decisions that lead to a breach. Using a cloud service with a given certification or attestation does not mean that you inherit that same status. For example, using a service that has a SOC 2 report does not mean that you can claim to be covered by a SOC 2 report yourself. Thus, assessing the security and compliance risk of these partners and understanding how they fit into your overall strategy is critical to selecting which you bring into your overall IT strategy.

Second, the use of cloud services makes it much more difficult to establish a single hard perimeter around your IT environment. In non-cloud environments, it is common to restrict network traffic to trusted sources and locations. When an application is hosted in a cloud environment, this might be challenging due to the size of the service provider or its dynamic nature (at least without architectural considerations up front). Similarly, the perimeter between you, the service provider’s personnel and other customers of the service provider can be blurry. Understanding how a compromise of the cloud infrastructure, a malicious insider or a hostile digital roommate could impact the security or availability of your organization is critical.

Given everything you’ve read here, where should you start and how should you expect your information security program to grow over time? It’s important to maintain a sense of perspective. Understanding and accepting that you can’t eliminate every security risk to your business overnight can keep you from becoming paralyzed in information overload and failing to take any meaningful steps. Likewise, it’s important to not react to every concern with a major shift in your business or technical overhaul. Finding your information security Zen takes iteration and continual learning, but that doesn’t mean you shouldn’t or can’t start tackling the issue head-on today. After all, the stakes for failing to do so can be dire for you, your customers and your investors.

Remember that information security is a matter of risk prioritization. While ignoring remote risks entirely isn’t wise, neither is using resources to manage them that are more sorely needed to address the most pressing risks you face. In the initial phases of building an information security program, adhering to relevant regulations and standards is a key foundational step in the right direction. Ultimately, this will set you on the right path going forward. However, that alone will not eliminate all the risks you face.

It can be useful to think of the growth of your program in phases. Such a perspective lends itself to an approach based on iterative improvement. Of course, it does not negate making sure you live up to your obligations and appropriately handling risks that need to be managed with appropriate attention and resources.

Growth Stage Description
Firefighting As you start an information security program, especially if you don’t have previous experience in this area, you may feel overwhelmed by all the things you must do, let alone the things you should or could do. The outcome is that heroic effort might be required and results are unlikely to be efficient, sustainable or repeatable.
Sporadic As your organization and its information security program continues to grow, natural pressures around stakeholder expectations, operational realities or even security incidents will push certain teams, systems or processes to mature more quickly than others. This can lead to effective management of risk in small pockets but a lack of alignment at an organizational level that results in duplication or blind spots.
Consistent Continued growth will result in standardization across the organization. Perhaps you have made your first full-time information security hire or have engaged a managed service provider to supply more regular and ongoing support. Policies, standards and procedures will become more detailed and proactive. However, it might still be challenging to find the time or collect the information necessary to continuously monitor all the potential sources of security risk.
Monitored Further investment of time and resources can result in instrumentation of the environment and establishment of processes to continuously monitor, regularly assess and audit systems and processes for compliance with internal requirements. At this stage, the program is moving into a fully forward-looking mode where it is less often playing catch-up and depending upon external compliance as the impetus for action.
Continuously Improving At the peak end of the growth curve, the program is in a state of constant evolution. It is using information from both within the organization and outside sources to continuously evaluate and modify the security strategy to counter threats, perhaps even in real time.

When to Get Help

In information security, no one wins by going in alone. Understanding when and where to get help is critical due to the complex and continually changing nature of IT and the focused and advanced nature of the threats we face. Information security can be expensive, can detract from the things you’d rather be working on or can slow some parts of the organization down. However, none of these impacts are likely to be as great as that of a major security incident. It is not an overstatement to consider some of the information security risks you face existential in nature.

Within the constraints and caveats outlined in this paper, making use of systems and services of trusted third parties can be an investment well worth making. This does not mean you can offload the risks entirely, but making use of those with more expertise or resources than you can be an important component of your strategy. In particular, when writing security-related code (and especially cryptographic functions) using established frameworks, algorithms and libraries and getting outside opinions on the quality of your code is essential.

If you’re unsure what your compliance obligations are, this is a major red flag. Consulting with appropriate counsel to understand your business, its clients, the information you’re handling and “law of the land” in the places you’re operating is crucial to keeping you out of hot water and protecting those you serve. These issues are complex and ever-changing and the need for expert advice cannot be overstated.

Lastly, if you think you may have had a security-related incident, you absolutely need to pull in appropriate resources to manage your response. Being proactive in this regard means that you’ve identified these resources ahead of time, created and drilled your own internal procedures. Having the right contacts on speed-dial to handle the forensic investigation, preservation of evidence, breach disclosure notifications and preparing you for any potential legal action can be the difference between surviving a breach and closing up shop.

Information security is serious business with new challenges emerging daily. It is essential that every organization creates a strategy for protecting its valuable information. This process starts by understanding your own risk factors, forming a plan built on solid principles and determining how (and with which partners) to execute it. Then, get better every day.

Benjamin Blakely, PhD CISSP CISM
Ben is the Director of Information Security at Dwolla. Previously, he has held positions in the private, public, and education sectors, and built an information security program to support growth of a cloud software startup through its initial public offering into the thousands of corporate customers. He earned his PhD and BS degrees in Computer Engineering from Iowa State University, with minors in psychology and political science. He holds the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications, and is the lead inventor on two patents related to encryption key management in cloud infrastructures.