Sunday, October 6, 2019

Dynamically Manage Technology Risk

How do you effectively deliver on the promise to your stakeholders to create a secure and compliant environment for the data you have in your possession? Highly regulated industries have always struggled with this question. The purpose of compliance is to secure data assets related to applicable regulations and standards for a data set. This suggests – and is written into every compliance regulation, standard, and security best practice – the implementation of a risk management process.

Herein lies the secret. Implementation of a risk management framework alone is a failure. Governance is mastery of the maturity necessary to deliver trusted levels of assurance. Delivered with confidence. Cold hard facts. Where is the quantifiable data? Where are the artifacts? How are they trending?

The number of intersecting information vectors makes it nearly impossible to deliver security and compliance with any real confidence – trusted levels of assurance. This is true for any industry, and particularly true for highly regulated industries that must face the growing diversity of regulations, standards, and security best practices across internal, external, and geopolitical pressures. This is complicated further by the duplicity of compliance requirements without a single governing and centralized source of information defining the intent or expected implementation across all technologies. This is the elephant in the room. This is the situation. The complexity lies in the ever-growing legal jargon of requirements and the exponential growth in new market-disrupting capabilities driven by new technologies and new platforms. The underlying question is whether what you’re doing now is meeting the bare necessity, the status quo, or do you have an opportunity to change the game.

Providers and Consumers
Managing sensitive data is a significant challenge as the number of factors providing inputs into the operational processes and the number of recipients consuming the outputs of the operational processes continue to increase. This is true of all information that is stored, processed, and transmitted across your infrastructure. The additional challenge in this regard is from vendors provided sensitive access to your systems and the growing rights of consumers over their own information. This affects business relationships, consumer relationships, and puts a square demand on the organization to demonstrate to both that they can protect their data.

Cost of Compliance
The cost of compliance continues to escalate for obvious – and not so obvious reasons. The obvious reason is that we must deal with an increasing number of regulations and standards that affect our business, particularly in highly regulated industries and geopolitically affected organizations. However, there is more.

There is a disconnect between the steps necessary to build a secure (compliant) system (and architecture) and the steps necessary to sustain compliant systems. The first one involves building a system securely at a point state in time. The second one involves understanding that state changes over time and governing factors such as patch management, configuration management, architecture reviews, policy reviews, and several other factors affect the ongoing security and compliance of that same system.

In simple terms, this is a governance problem. This leads to dangerous situations in which you have a perceived risk (what you think you know) that is less than your real risk (what you don’t know) because you don’t have the complete story or it’s not properly understood and calculated in context. Much could be written about both, but these are self-explanatory. You either view and calculate risk in context – addressing out-of-bounds conditions – or you suffer the consequences.

Tools are bought to address this problem. However, tools are unfortunately often poorly utilized, and poorly understood. The financial services sector has been noted by several studies as having the most tools of any industry vertical. This means that financial services have more panes of glass, and possibly more information and input to identify issues and problems. The reality is that unless you have a system for prioritizing the impact in both a general and very specific sense, you will never be able to address the issues that eventually lead to an infrastructure breach.

Related to this is the reactive phenomenon of external audits. It’s quite interesting, like tax season, everyone seems caught off guard during an external audit. Why is an external audit a surprise? Why is it so often a forcing function? The situation would change completely given a system that is designed to manage and store for future retrieval the essential artifacts requested during an audit. This takes the burden off system operators from running around checking their systems and shifts their focus to driving the day-to-day activities they are hired and trained to perform.

Cost of Security
As the tired story of growing threats continues to get the headlines, the perpetrator for many of the successful penetrations is related to the increasingly agile business. Organizations are turning new features and technologies out faster than they can effectively review them to create a market edge. This is challenging because you need to innovate and respond to the market with new features and capabilities to create parity with, or dominate, your competition. However, as an attacker, I just need one mistake.

The situation for security is that we have a complex and dynamic IT infrastructure extended across locations, acquisitions, technology platforms, and decades of technical debt.

The complexity here is compounded tremendously when you consider the challenges of creating “cloud-native” applications alongside existing mainframe technologies. Cloud-native is a moniker that can include containers or any other technology that allows elasticity and other advantages of cloud technologies. Many of these are still tightly interconnected. The challenge to change is equally met by the challenge to secure. The question then becomes, “How can I dynamically manage technology risk?