Please enjoy this blog authored by Sarah Luiz, Cyber Assessment Manager, Conversant Group.
In the age of continuously evolving security threats, firms are increasingly challenged with balancing compliance requirements and security needs. Due to the potential legal, regulatory or reputational implications of non-compliance with these standards, firms often focus a majority of their security capacity on controls which satisfy compliance requirements, instead of controls which are focused on battling today’s security threats. Relying solely on compliance- mandated controls is a common, but risky practice which can leave firms with critical gaps in their security programs.
Have you considered what may be missing from a security program driven primarily by compliance? Consider the standard publishing-lifecycle process of a security framework:
A group of experienced security professionals spend months collaborating to draft an outline which contains as many critical controls as possible focused on the security threats and technologies of the time.
This is then expanded into a full list of controls, which further details these requirements.
The full document then undergoes a multitude of reviews, revisions and approvals before finally being published.
This publishing process can take months or even years in some cases; with the standard or framework then being effective for a number of years after the published date as well. Meaningful or significant content updates can be limited during these periods in an attempt to create consistency amongst versions. When updates do occur, this process is repeated.
By the time a framework is published, attackers are no longer utilizing the methods which were innovative during the creation, and the slow evolution of these standards contributes to outdated security controls being considered industry standard.
ISO 27001, as an extremely popular example, was substantially updated for ISO 27001:2013 published September 25, 2013. The next iteration was not formally published until ISO 27001:2022 on October 25th, 2022. Even today, firms are still authorized to continue utilizing the 2013 version until October 31st, 2025, more than a decade after it was published.
With this standard publication life cycle process, you can see how frameworks are perpetually fighting a battle against time. Static standards such as these may work well in industries such as manufacturing or construction where tools evolve slowly, and work methods remain consistent for years. However, due to the ever-changing world of cybersecurity and threat actors, firms must ensure their security baseline is quickly and continuously growing.
Alongside the concerns around outdated controls, audits against these requirements masquerading as a method to confidently confirm an organization is secure from threat actors, and therefore unlikely to sustain a breach. A positive audit report can leave firms with a false sense of security that they have all the appropriate tools and controls in place to safeguard their network. Many organizations view these audits as the main source of their continuous review of security controls. In reality, audits simply evaluate control implementation, not the effectiveness of controls against current threats.
Despite the concerns that exist around compliance frameworks, they do play a significant role in demonstrating a firm’s security maturity to parties outside of the organization. These requirements should be viewed as portions of your security baseline to be combined with controls designed around current, threat intelligence to bridge the gap between static requirements and dynamic threats. Up-to-date, threat intel must lead your security evolution to minimize the risk of breach and ensure firms have a higher survivability likelihood in the event a breach is to take place.
Current threat intelligence from the industry leader in breach preparedness and recovery, Fenix24, demonstrates that threat actors are most often targeting critical consoles, security tools and backups through compromised credentials, remote access tools and/or lateral movement opportunities. Critical controls which increase security and survivability in these cases, such as administrative identity segmentation, break glass accounts, and implementing multiple, segmented, immutable backups; are not even considered within most major industry security and resilience frameworks.
As Ransomware and Ransomware as a Service continue to rise in prevalence and threat actors evolve on a daily basis, it is critical that firms view compliance mandated controls as a starting point, not a as a last stop. This shift in security vision is crucial to expand your security program past a primary focus on meeting compliance requirements into a security program which is properly prepared to resist and recover from the security threats of today.
#Just-in-Time
#DataPrivacy
#Ransomware
#Security
#BlogPost