Business Management Review

A featured contribution from Leadership Perspectives, a curated forum for business leaders, nominated by our subscribers and vetted by the Business Management Review Editorial Board.

esure Group

Richard Frost, Chief Information Security Officer

What it truly means for IT Security to be a business enabler.

We all know the cliché, “IT security teams always say no!” but what does it mean for security to be a business enabler? The answer is to be proactive. This means being on the front foot, having all the controls in place to manage innovation risks and freeing up the business to explore its goals. Understanding and managing innovation risks are extremely important but often given little attention by reactive Information Security teams until they are called to respond to an incident. A common industry example of innovation risk is taking shortcuts in the cloud due to time pressures or knowledge gaps, leading to cloud misconfigurations and exposure of sensitive data.

Let me demonstrate by sharing some examples of proactive security in my current organisation, a UK insurer going through a digital transformation.

Driving Behaviour With Near Real-Time Kri Dashboards

Not every vulnerability or misconfiguration is the same. Some carry more risk than others and simply looking at the vulnerability or misconfiguration severity provided by your scanner to prioritise work will completely overburden your development teams. Apply your own logic on top of scores from your vulnerability tools by considering if the asset is in a production environment, reachable from the internet, exploitable or will become exploitable (EPSS), processes sensitive data or is mission critical. Have visual dashboards to measure your KRIs at Exec, Tribe and Squad levels with different buckets for your SLAs. For example, a severity 1 bucket for production vulnerabilities or misconfigurations severe enough to be fixed within 24 hours. A severity 2 bucket for 7 days, and so on. There is nothing like a KRI dashboard to drive behaviour, particularly if this is visible to the risk committee!

Reducing User Friction- Imposing a significant burden on the enduser experience to maintain security will soon force end-users to bypass controls and result in complaints. A simple example is password expiry. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user, and costs are associated with recovering accounts for the Service Desk. Regular password changes do not improve security so use SSO with MFA to reduce user friction and maintain security simultaneously.

A Common Industry Example Of Innovation Risk Is Taking Shortcuts In The Cloud Due To Time Pressures Or Knowledge Gaps, Leading To Cloud Misconfigurations And Exposure Of Sensitive Data

 Leverage Zero-Trust To Mobilise The Workforce- In today’s world, business users must work from any location, including occasional risky public wi-fi hotspots. Good segmentation between end-users and critical assets in the data centre, plus the ability to respond to end- user threats immediately when they arise, will provide flexibility for the workforce to work from any location. Many businesses still use traditional client VPNs, which have caused ransomware to propagate from enduser devices to critical assets in the data centre. Replacing these with zero trust private access will reduce the attack surface to just the web applications the user needs for their role, eliminating the exposure of risky ports and protocols.

Weekly Security Architecture Triage Surgeries: There is nothing worse for a security team than shadow IT, a new solution going live without any security engagement. Formal governance, including design review boards, has its place but needs to be more convenient.

The articles from these contributors are based on their personal expertise and viewpoints, and do not necessarily reflect the opinions of their employers or affiliated organizations.