An earlier blog covered how security practice and technologies have changed over the last couple of decades, and here we look at how culture has changed with it.
"Security is the group that says "No!"" is how security used to be perceived but, in most organisations at least, that has changed. Back then, the security team had a list of rules designed to keep the company safe from harm, and those rules were not to be broken. Then came standardized solutions for activities which the company did not want to miss out on, but had not previously been allowed, such as the use of a proxy providing content filtering and malware scanning for internet access. Over time, security became more flexible, and is now usually based on a Governance, Risk and Compliance (GRC) model. For any organization which develops in-house systems, security often plays a role in assurance too, overlapping governance and compliance, as the project moves from design through development and deployment, to live operation.
Compliance is the comparison of a system with a set of rules and has always been part of the security team's role – defining security related policies and checking that everybody complies with them. This used to end with "No!" for anything that was not compliant, but now has much more flexibility. Those policies are there for a reason, but the security team is now meant to be a 'business enabler' and allow operations to go against policy as long as the risk is properly managed. Putting additional protective mechanisms in place to mitigate the risk is often an agreed outcome. The risk is reduced to an acceptable level, potentially with additional governance, and the project can proceed. Internet access through a proxy is an example of such a mitigating control, whereas allowing all employees to have unfiltered internet access carries a high risk.
Governance is the alignment of security policy (and hence compliance) with the organisation's goals and risk appetite, through clearly communicating security and risk processes and policies throughout the organisation, providing resources to ensure effective risk management and tracking the security posture of all systems throughout their whole life cycle.
Risk management involves assessment of the likelihood and impact of all threats exposed by non-compliances, and taking one of four common approaches: accept, mitigate, avoid or transfer. Mitigation is the changing of, or addition to, the technologies or processes involved to reduce the risk. Avoidance is the decision to not proceed at all, as the risk is too high and cannot be reduced to an acceptable level. Transfer moves the risk elsewhere, such as to a cyber-security insurance policy. This is a still evolving area, as insurance actuaries try to balance the risks they are taking on against the premiums they should be charging. Acceptance means continuing without additional risk changing strategies, and what is acceptable will vary with the organisation's risk posture. Some will be 'Steady as she goes' and highly risk averse, but others may be willing to take a more 'Live fast, die young' approach.
Finally, there is the culture change in who is responsible for security. Many organisations now take the view that security is everybody's responsibility, and all employees now get annual security training refreshers, a place to report phishing emails, and often role specific security training, such as OWASP Top Ten avoidance for software developers.
The security team no longer say 'No!' or, at least, not always.
Net Reply have experts in security by design, identity and access management, automated security testing and response, and many other aspects of security. Please feel free to reach out to Ian Shatwell.