INTRODUCTION:

In today’s digital world, IT security strategy must be transformed into Business-driven security strategy which brings in Business perspective to security. The security testing practitioners should not stop with defining technical vulnerabilities and technical impacts. They should extend to the business impact such as loss in dollar value and customer experience which the Business stake holders are looking at.

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

Information Security Practitioners like security analyst and consultants of an organisation should look at the information security from a business perspective to enforce proper risk management so that it will be useful to prevent the data loss or assets that are most important to the organization during the time of a threat.

For enforcing the business-driven model of Information Security in an organisation, it is essential to understand and assess the organization’s risks in real time and mitigating the risk by determining the incidents conclusively by a skilled incident management team. In short, it is critical to have a “Risk Management team in an Organization” than a regular threat management team.

To create a compelling business-driven security model, a business organisation must identify all its assets,

IMPORTANCE OF BUSINESS DRIVEN SECURITY MODEL :

The need for business-driven security arises, mainly due to the evolving threats from various aspects of technology which includes the latest trends like the Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning etc., As these new technologies evolve, the attack vector for these technologies also evolves every day.

For example, IoT devices may have vulnerabilities in firmware level and application level, which an attacker can exploit to take over the IoT device’s control, which gradually increases the threat for the owning organisation.

Another primary reason for the business-driven security model is “The Gap of Grief”. The Gap of Grief is a concept used to explain how the security vulnerabilities can cause financial and reputation loss problems in an organisation. A significant part of this problem comes with the fact that the CISOs and other information security staffs in general like Penetration testers and consultants failing to translate the challenges and risks in assessing a threat. In cyber-security terms, the problems created by not effectively being able to report security issues to the appropriate people at the right time causes the gap of grief.

Let’s consider an example scenario: The CEO tours television and radio studios in a bid to dispel negative press and to assure the public that their data is safe with the company. This often backfires when it becomes apparent that the CEO has very little knowledge of their company’s cyber-security operations, let alone how the breach occurred or how many customers were affected. This causes problems to the organisation, and the gap occurs.

ASPECTS OF BUSINESS-DRIVEN MODEL:

The key element of the business-driven security model is to focus more on detection and assessing the threats then protection as it is a complicated job to carry out. Then there should be a valid defense strategy specifically for all the assets and their vulnerabilities. This defense strategy should have a definite cost to benefit values assigned.

Another aspect of the business-driven security model is, it should include the required and skilled people, process and technology (Tools and services) for carrying out risk management process.

Organizations need to find out the security gaps between the current security level of their application and infrastructure and where they want to be for an ideal security level for effective risk management. This gap analysis process is one of the key aspects to create a business-driven security model for the organisation. This gap analysis process helps out the security staffs to work on patching the gaps and vulnerabilities effectively.

Management should come up with a proper rank level for all their assets and applications based on the key values of assets. Then it will be easy for the security people to carry out gap analysis on a regular basis based on the risk ratings of assets and applications.

CONCLUSION:

The key objectives of Business-Driven Approach in security testing are,

• Security Testing practitioners must understand the business portfolio thoroughly so that they can build relevant security testing measures/framework.
• The business stake holders must be educated to understand the business impact for each of the vulnerabilities so that they can adhere to the security measures.

The business-driven security model is more useful for an organisation, not just regarding cost but also regarding proper assessment of threats and risk. If implemented in correct way, it will become an essential security model to help security people mitigate the threats and security breaches. Through a business-driven approach, Novature Tech productively orchestrates business driven security with more agile and secure way. Since it relies heavily on the risk levels for an organisation, it will help any organisation to cut cost, save time & reduce  effort on the incident and threat management.

Please reach out to us to create Business Driven Security solutions for your organization.

If you have any query or want to inquire more about Business Driven Security Testing Approach, contact us @ info@novaturetech.com

References:

• https://www.bankinfosecurity.asia/interviews/business-driven-security-how-works-i-3688
• https://atos.net/wp-content/uploads/2017/05/atos-whitepaper-cyber-security-ready-for-anything.pdf

Author: Arul Selvar   | Posted On: 12th September 2018   | Category: Article