The Changing Risk Management LandscapePublished July 6, 2015 by Brad Thies • 4 min read
This post was originally published on TechSling.
Security breaches in every industry are all over the news these days, and companies are becoming more mindful of the need for compliance and risk management. As a result, they’re putting their cloud service providers under a microscope.
But the business world is changing. The fixed cost model is fading as subscription-based services thrive. Speed and system availability are necessary to a successful business, and these qualities take precedence over fancy, complex features.
Customers are evolving as well. If you don’t know what I’m talking about, shut down a teenager’s Twitter handle for a few minutes. The teenager of the ’90s was OK with waiting an hour for a song to download on Napster, but times have changed. Today’s consumers have no patience for downtime because of a “security issue” — or any other reason, really.
Companies rely on the services they offer to keep their products in demand. One false move or a few bad press items can lead to a failed company. Sixty percent of the time, organizations can be compromised within minutes, yet companies sometimes take weeks or months to discover a breach, according to the latest Verizon Data Breach Investigations Report. Such discrepancies aren’t going to be an acceptable norm when the compromise impacts customers.
Discover Risks More Quickly
One reason discovering issues takes so long is that there’s just too much data to analyze. Risks and security incidents used to be manageable on a case-by-case basis, but that approach doesn’t work anymore. Incidents are more complex, interdependent, and non-linear.
Traditional information security triangles include confidentiality, availability, and the integrity of the systems and data. Better risk management allows for a faster intake of all incidents and events, whether they’re customer- or security-related. However, traditional models typically don’t consider time when it comes to information security, and time should be taken more seriously.
One of the biggest challenges facing security is that most companies rely on outdated legacy systems that are open to vulnerabilities. They can’t keep the systems patched enough to withstand security breaches. However, the benefits of moving an organization onto the cloud — such as speed to market and scalability — bring with them the concern of “the cloud multiplier effect,” which is an increased probability of a data breach.
There’s no such thing as a silver bullet; however, the cloud multiplier effect brought forward the fact that there are opportunities to embrace the cloud to enhance your security posture. The cloud should be a natural extension of the enterprise. You rarely hear of services hosted on Amazon Web Services, Google Cloud, or Microsoft Azure being breached. So the fear of losing control of their data should wake companies up to the reality that security is too complex to try to tackle alone.
Cloud service providers have the opportunity to alleviate concerns, better define where risks are for their clients, and establish where the shared responsibility for managing security should lie.
All CSPs (not just the big ones) need to be aware of security- or compliance-as-a-service. They need to stay ahead of the risks and provide access to structured compliance documentation (SOC 2, PCI, HIPAA, ISO 27001, etc.), detailed log management to identify security anomalies, data encryption to centralize key management, and internal and external vulnerability scans.
Gartner projects that there will be more than 13 billion connected “things” in the consumer sector alone by 2020. The Internet of Things is just the tip of the iceberg when it comes to why risk management needs to be addressed in every industry.
How to Keep Procedures Up-to-Date and Communicate Security to Companies
Sound risk management helps protect brands, streamline processes, and quantify losses. Security risk management isn’t focused solely on compliance because regulations are usually outdated by the time they’re written down; it uses dynamic controls to link events across multiple disciplines. Here’s how to keep your security procedures up-to-date:
- Know customers’ assets. CSPs shouldn’t be responsible for enforcing what data is transmitted to them from customers, but they should have an understanding of how customers classify their data. CSPs should categorize their systems appropriately and understand the impact of any losses in confidentiality, integrity, or availability of customer data.
- Layer security. Customers are concerned about how CSPs can protect their information among all the co-mingled data in VM and hypervisor environments. There’s no silver bullet to protect data, but layering security
- Secure APIs. APIs should bring better integration to other business applications, which is why OAuth has become a standard. However, insecure APIs and interfaces that rely heavily on outside authentication expose significant vulnerabilities.
- Establish accountability and communication. When security events occur, CSPs need to have the tools and processes in place to detect and correct the breaches. They also need to have an organizational structure that keeps pace with emerging security concerns and keeps the company informed. CSPs should communicate frequently with customers to collaborate security across the entire customer base.
- Provide independent assurance. CSPs are typically dependent upon their customers and data, which presents unique risks. Customers see great value when CSPs provide independent audit and assurance reporting of their environment.
Protecting your critical infrastructure and business assets from hackers and other threat actors is more important than ever, as they’re becoming increasingly sophisticated. After several large breaches, companies are beginning to take closer looks at their own risk management and compliance procedures, as well as at the approach of their CSPs. Providers that can ensure their risk management and compliance measures are up-to-date will be able to alleviate detrimental effects on their clients’ businesses and establish long-lasting trust.