The role of Security Officer has become increasingly challenging in recent years. Companies need to comply with rapidly changing legislation and regulations, and protecting against cyber threats is becoming increasingly complex. And with the rise of cloud computing, information no longer remains concentrated within the secure walls of your own organisation. In this blog post, I will explain how you can stay in control of security and compliance of your IT landscape in just four steps.
The Security Officer is responsible for creating, monitoring and testing security policies and any associated measures. Before this is possible, it is essential to discover what information is held where, who has access to that data, and how people are using their access. This is only possible if the policies are perfectly geared to the systems and data flows within the organisation. And in many organisations, this is the point where things go wrong. Applications are often not appropriately geared towards the policies. What’s more, employees often use their own tools that are not supported by the IT department. As a result, the Security Officer may be at risk of losing sight of the movements of users, and it may no longer be clear which users have access to what data and how information is shared.
Role of Security Officer is changing
In the past, access to information and information systems was often only possible from within the organisation itself. The single biggest challenge of the Security Officer has traditionally been to keep external threats at bay. These days, however, users have access to information systems at any time and from any location, and data may be stored and shared in multiple locations, both inside and outside the business. As a result, the Security Officer is increasingly focusing on monitoring the risks far beyond their own organisation’s four walls.
Take the use of free cloud storage services, for example. Many organisations choose not to work with these cloud applications, and yet they are often used by individual employees. Partly for private use, but also to quickly share something with suppliers or customers. How can a Security Officer know when such a storage service is being used? And how can they prevent users from uploading or sharing sensitive documents with a competitor? These free solutions can be seen as a shadow IT service which creates serious security risks.
Another well-known security problem is managing users’ identities and access privileges. How can a Security Officer establish that all users are handling their data appropriately? Does the organisation know who has access to a given system? Are the access privileges still correct? For instance, are there still user IDs in circulation for employees who have since left the company? How can the Security Officer take control of these issues?
The four-step approach to information security
To answer these questions and to minimise the impact of threats, it is essential that a Security Officer is able to identify, analyse and report on the risks in good time. On the one hand, this requires the formulation of a clear policy – what is allowed and what is not. And on the other hand, it will require operational measures – how do we ensure that the rules are followed and that the right measures are taken? This is not a one-off effort because in the digital age, new threats, such as free cloud solutions, come around in rapid succession.
It requires a clear process in the organisation for securing information, and the PDCA cycle (Plan-Do-Check-Act) forms an integral part of this. Allow me to briefly explain how this cycle works:
1. Plan – Prepare policies based on risk analyses, legislation, regulations and standards. Determine the minimum requirements that your IT landscape must meet to be considered secure.
2. Do – Implement the policies by securing clear agreements and by implementing unambiguous measures.
3. Check – Use random checks and audits to check whether the organisation is sticking to the agreements made and whether the measures taken are effective.
4. Act – Resolve any problems, for instance, by amending the policies, tightening the rules or taking additional administrative or technical measures.
By continuously repeating these four steps, the Security Officer can ensure that the organisation is creating a high level of security in terms of identity management and access privileges, incident management, disaster recovery, change management and compliance with the company’s own policies. This will enable them to create an environment in which the availability, confidentiality and integrity of data is guaranteed, and where timely action is taken in the event that security is ever compromised. For instance, by immediately identifying shadow IT use, superfluous user IDs and ‘unusual’ login attempts.
However, this is a time-consuming process. These days, in complex environments, it is no longer possible to carry out this ongoing process by hand. It can only be done by automating this process, for instance, by using Security Monitoring and Control tools. These allow the Security Officer to take control of every step in the process, ensuring that the organisation also remains in control. In my next blog post, I will explain how you can take information security in your organisation to the next level using a Security Monitoring & Control tool.