The Internet allows businesses of all sizes and from any location to reach new and larger markets and provides opportunities to work more efficiently by using computer-based tools. Whether a company is thinking of adopting cloud computing or just using email and maintaining a website, cybersecurity should be a part of the plan. Theft of digital information has become the most commonly reported fraud, surpassing physical theft. Every business that uses the Internet is responsible for creating a culture of security that will enhance business and consumer confidence.
As they say, there are 2 types of companies out there – the ones who have been breached and those who will be breached. Having a comprehensive framework in place and following it carefully can make things easier much before and after a cyber attack.
1. Imagine a SaaS company has come into existence which uses various cloud vendors and on-premises infrastructure. I’d like to ask how this company should approach cybersecurity in its organization. What should be the framework?
Depends on the size of the company. Let us assume it is big enough to have an “IT department” and within that at least 1 or more dedicated security staff.
Given that, the advice is the same for any kind of company. If the company is under “security pressure” or has customers under security pressure (e.g., banks, governments, hospitals, etc.) the head of security should be designated with the “CISO” title. The CISO or head of security should establish a security program and framework.
I described how to set up, refresh, or assess a security program in Chapter 7 of my upcoming book. Briefly, the business and security leadership of the company must develop a “Definition of Security” – its mission, mandate, lines of authority and decision rights. Express this definition (unique to every company) in a Board of Directors-endorsed security charter. The chapter also becomes the root document for the Security Policy and all its subordinate policies, procedures, and processes. The charter establishes a cross-functional security coordinating function; in a small company it might be embedded as an agenda item in the regular executive or product leadership staff meetings, in a larger company the function should be a dedicated security steering committee.
One of the few differences for a SaaS company is that typically the head of security should report either to the Senior Product leader rather IT, or to the CEO or a CXO.
The Security Policy should contain a document called a “Control Framework” (which I assume you were asking about). Which one is region or industry specific. Worldwide, many organizations follow ISO 2700X, but the NIST Cybersecurity Framework is also very good and it contains a map to ISO, NIST 800-53 and COBIT. SaaS providers will probably need to obtain a SOC 2 certification and other certifications.
I define risk per the Open FAIR standard – it is the loss exposure created by the probable frequency of adverse events times the impact of those events materializing. Risk must be quantified and explained in business terms to business executives. I describe all this in my Chapter 5, Manage Risk in the Language of Business.
Establish business risk owner accountability for cyber-risk, IT operational risk, and other forms of risk. Establish a risk management forum (in a large enough company) or use an existing forum such as the Corporate Social Responsibility Committee, Audit Committee, or Corporate Ethics Committee. The IT and security risk teams report their top risks up to the forum and take guidance on risk appetite and executive preferences for risk treatment strategies from it. Adopt a consistent risk management framework (I recommend ISO 31000 plus FAIR) across the different risk teams. Also in a larger company, build a tiered risk assessment process into IT and instrument it into the IT-GRC system and the IT service management system. Embed risk assessments into third party management, vulnerability assessment, and other processes.
This risk management process determines which controls are required. In Chapter 3, I describe how to establish a control baseline and then maintain through it through the risk management process.
Controls must be tested as you suggest. How often depends on the type of control, the risk level, and the practicality of testing.
For a SaaS company a high degree of automation is expected. The vulnerability and configuration management, monitoring, and runtime access controls for example should be tested continuously.
The book is focused on the challenge of cybersecurity-business alignment. As I describe in this blog post, many business executives do not really understand cybersecurity, have not defined it for their organization, and do not consider it strategic. At the same time, security leaders don’t really have the framework and the guidance to communicate in business terms and gradually shift the security culture to a more favorable model. Here is how I describe the basic problem and how the book points to solutions.
I provide specific, actionable advice in the book (due out in May) on three great places to start.
- Gain top level support for prioritizing cybersecurity
- Align with business stakeholders in security-related roles
- Prioritize your work efforts using an 80-20 model and apply the advice in the first two bullets to each work effort. The generic priorities I recommend are: risk management, control baseline, security culture, IT simplification, access control, and cyber-resilience.
Bottom line: These concepts are fairly generic, but the implementation varies with the type of organization and its business culture. Independent SaaS companies tend to be lean, young, and to have a relatively low power distance. This general advice in Chapter 7 is especially appropriate for SaaS companies.