CNS Group – assurance vs accreditation
We’re living in a very fast-moving and ever-changing world. A world where cyber security (or the lack of it) is mainstream, daily news. Market and technology developments have opened growing opportunities for criminal activity.
2017 was, to say the least, an interesting year for all things cyber, we saw some of the biggest attacks in recent history, with millions of consumers and thousands of businesses affected by everything from the WannaCry attack to the TalkTalk and Uber data breaches.
Cyber security now IS the issue on every business leaders mind; how do they defend themselves from falling victim to a breach? How can they guarantee consumers that their assets will remain protected from that next security attack? The effect on those businesses who have suffered a major breach tend to be so substantial that share price, brand, reputation and long-term profitability can be seriously weakened.
That’s not to say there isn’t methods to lessen the burden; there’s various certification schemes out there that are designed to alleviate concerns such as PCI-DSS, ISO27001 and Cyber Essentials.
The only problem with these is that cyber services versus cyber security needs evolves just too rapidly nowadays and many certification programs (but not all I might add) only require the “tick in the box” annually; they are essentially providing a guarantee that at a certain point in time the security posture of a service or environment was in an accredited state. What about the rest of the year?
Personal experience as an accreditor/auditor and the fact that so many accredited businesses do still suffer breaches leads me to the point that many of them do, what can be best as described as “the minimum”, to get that tick in the box; they get their certificate and return to it 11 months later.
To combat these issues and to meet the supersonic pace of cyber security demands a much more flexible model of assurance is required; one that focuses on risk management, regular risk treatment and continuous risk reduction; in short, going beyond cyber security certification and maintain the security posture on an-going basis.
By conducting proper risk management (as many of the certification programmes do dictate) you introduce a suite of continuous and iterative activities throughout the cyber security lifecycle that requires validation or approval gateways and practical mitigation strategies. Mitigations (or risk treatments) include design principles, technical controls, policy dictation and procedure controls. If these are (religiously) adhered to, they will actively reduce risks to acceptable levels of a given solution.
To deploy a workable risk management process the security assurance framework that accompanies it must be:
- In line with business and operational requirements and include senior management (get their buy-in);
- Validate identified controls;
- Ensure those controls are implemented correctly;
- Ensure regular reviews so that risks are identified, assessed, managed and reported.
- Include risk treatment plans that include the involvement of technical architects and project managers
- Include a risk reduction process in the form of supporting evidence (such as blueprint designs)
Should such a framework be adhered to, a secured assured status is continuous if or when comes to certification the panic to prove that systems are in a fit and proper state will not be rushed and the business in question can be seen to be offering quantitatively managed of cyber security maturity.