Clear Focus Areas Required For Information Security
“May you live in interesting times!” I was told on my first day on the job now some years ago. This resonates even more now than it already did then. Today’s information security profession appears overburdened with the challenges brought by cloud computing, personal data protection, social networking, advanced persistent threats and all other things cyber. Maybe these are just the symptoms of our challenges. In any case I think their resolution is way beyond the reach of any one security technology or service alone.
Certain focus areas may be useful for information security organizations moving forward:
1. Information security must be simultaneously device, data and person centric. Sustainable information security implementations – be it as frameworks, organization, processes, technologies or services – need to be designed and operated from the questions: where are our higher-risk knowledge workers, their computing devices and services, and the data they process, and what do we do about them? An information security team that only focuses on one-size-fits-all policies and awareness will be ineffective. Similarly, one exclusively focused on technical necessities such as software patch management, certificates and network security risks being blindsided by the intricacies of protecting unstructured data.
2. More than ever, information security is about intelligence: gathering, processing, sharing and acting upon intelligence, lots of it and faster. I mean not only the typical software vulnerability information from channels such as managed security service providers. Intelligence includes harvesting, normalizing and adding business context to many internal and external sources of information security data: configuration management systems, risk assessment databases, scanning tools, identity and access management systems and behavioral monitoring solutions to name a few. Several initiatives we have embarked on at Philip Morris International are essentially about making the security state and activity of things visible and actionable every day. Getting there involves iterations of standardization, centralization and automation as well as robust BI solutions and skills to make business sense of millions of records about security configuration settings, complex access permissions, control maturity levels and much more. Simply put, to protect terabytes of business data, prepare to process gigabytes of security data…
3. Our stakeholders expect positive assurance about information security. The absence of virus outbreaks or audit findings within a proprietary network inspires only so much executive management confidence when cyber surveillance, industrial or commercial espionage and critical national infrastructure are persistent media and regulatory concerns. Best practices become the management standard: continuous control monitoring, daily KPIs, dynamic risk assessments, recurring benchmarks, security vulnerability testing across internet and mobile assets, rigorous due diligence at third-party service providers, cyber wargaming and several other activities wrapped up into multi-level governance meetings and executive briefings.
4. Information security must contribute to IT and business results. Necessary practices such as classification, segmentation, assessment and data mining can and should enable information security teams to contribute to productivity insights and initiatives, for example by rationalizing controls or curbing system and data sprawl. There is also no reason innovation, speed-to-market and collaboration should be notions foreign to our lexicon and competencies.
“Dr. No” has left the information security building a while ago. His office now hosts a creative team of engineers, lawyers, business analysts and auditors.
Based in Switzerland, Jan Billiet has been Philip Morris International’s Director IS Security & Risk Management since 2007. He oversees development and implementation of global information security strategies, plans, processes and services as well as various information risk reduction initiatives. He has worked for affiliates of Altria Group, Inc., and later Philip Morris International Inc., since 1996, with increasing responsibility in areas of audit and IT security. Prior to 1996, he worked as business analyst and senior consultant, primarily on systems implementation projects. Born and educated in Belgium, Jan holds degrees in Law, Economic Law and Business Administration.