WHITE PAPER / COST-WISE SECURITY MINDSET EVOLVING …tsdos.org/media/Michael Monahan_TSDOS... ·...
Transcript of WHITE PAPER / COST-WISE SECURITY MINDSET EVOLVING …tsdos.org/media/Michael Monahan_TSDOS... ·...
WHITE PAPER / COST-WISE SECURITY MINDSET
EVOLVING THREATS, RAPID TECHNOLOGICAL ADVANCES AND
NEW WAYS TO THINK ABOUT SECURITYBY Michael Monahan, CPP
Technology enhances an organization’s operations; however, given the pace of development, introducing
these technologies can sometimes outpace the protocols needed to manage new risks and vulnerabilities.
Rushed responses don’t cut it but thinking a little differently about security can break the cycle.
WHITE PAPER / COST-WISE SECURITY MINDSET
© 2018 PAGE 2 OF 4
THE COST OF COMPLACENCY WITH REGARDS TO AN ORGANIZATION’S SECURITY POSTUREIn May 2017, WannaCry
ransomware began
attacking vulnerable
computers around the globe,
encrypting their data and
demanding ransom payments
in the form of Bitcoin
cryptocurrency. By the
time the attack was
stopped a few days later,
300,000 computers across
150 countries had been
affected, with damages
totaling in the billions
of dollars.
The WannaCry ransomware
attack was the largest of its
kind to date — and it’s far
from the last. Researchers
from SonicWall Capture Labs
recorded 5.99 billion malware
attacks in the first half of 2018 alone, more than double
the number from the same period in 2017.
Given the increase in the number, complexity and severity
of such attacks, cybersecurity has become one of the
most important considerations in business planning.
The challenge is weighing security risks and costs with
consideration to your budget and making the best
decision to protect your organization.
SECURITY PROTECTION THAT REFLECTS BUSINESS OBJECTIVESThe cost of neglect of security issues can be high,
leading to installed system obsolescence as well as
complacency in policies and procedures. In time, this
can breed vulnerabilities that an attacker can easily
exploit — or an auditor or lawyer can discover — resulting
in a potential loss of assets, including both a company’s
brand and reputation.
To prevent such losses and to protect assets, decision-
makers must cultivate a security-driven mindset, and
they must prepare to have their judgment, commitment
and resolve tested in the development and delivery of
integrated security solutions. Bracing for the challenge
may be more difficult than it seems, given the demands
made on this mindset in each of the following areas.
COMMITMENTA decision-maker’s commitment to a security project
will be tested on multiple fronts. The greatest obstacles
often are embedded in the organization’s cultural norms.
Before implementing sweeping changes, a prudent
leader first will consider the time, outreach and
patience required to develop and secure buy-in for a
strong security strategy. To manage competing priorities
and demands, it is necessary to assemble a strong
coalition prepared and capable of leading change.
PJM Control Room; Source: StateImpact Pennsylvania, Courtesy of PJM.
WHITE PAPER / COST-WISE SECURITY MINDSET
© 2018 PAGE 3 OF 4
ALIGNMENTDiscussions regarding security technology must address —
and be aligned with — the policies, procedures and people
who will be responsible for leveraging these technologies.
Without this alignment, any solutions you implement
potentially could be rendered obsolete, ineffective or
merely inconvenient over time, leading too often to
their ultimate abandonment.
JUDGMENT Good judgment in security decision-making often comes
with experience. Experience, however, is usually gained
through incidents that may involve mistakes and poor
judgment. That is why it is critical for decision-makers
to be honest in appraising their teams’ experience and
qualifications. Available resources must be developed,
mentored and empowered to plan and execute as a team
to institute and effectively turn the vision for an integrated
security solution into reality.
TEAMThe goal is to build a team that can be relied upon for
discretion and good judgment by leveraging its requisite
experience, attention to detail and professionalism at each
step in a project’s life cycle to achieve and maintain a
high-performing security system. Leaders must also build
teams that can exercise proper foresight in budgeting
and communicating the total cost of ownership of the
solutions they implement.
COST-EFFECTIVENESSBecause a successful security outcome is, by nature,
a nonevent, it can be frustratingly difficult to measure
a security system’s cost-effectiveness. Still, specific
measures can be employed to evaluate and communicate
the relative value of security system components,
including:
Congruence – Can you simply and clearly
articulate how a chosen technology fulfills an
essential component of the organization’s
overall security strategy?
Sustainability – Does the technology solution have
the capabilities, as well as the protocols, policies
and procedures, needed to achieve your objectives?
Has the system been scrutinized for its ability to
deliver future functionality and flexibility as security
and compliance requirements evolve?
Reliability – Does each security component perform
as advertised? Will it function properly the first,
10th, 100th and 1,000th time it is called upon?
Has your organization committed to maintaining
this level of performance over the long term and
do you have the team in place to select, implement
and maintain this performance level? Is it necessary
to pare down the number of vendors, tools and/or
metrics to make long-term operations and support
more feasible?
PREVENTING THE ONSET OF OBSOLESCENCEOnce an integrated security system is installed, an
organization must remain proactive and pivot to a position
that will integrate the changes into the organization’s
culture. This requires both vigilance and assertiveness to
raise awareness among staff. The organizational landscape
must also be regularly and actively scanning for security-
related challenges and opportunities emerging from within
the security team and across the organization.
One strategy to build awareness throughout the
organization is to test the strength of communication and
competing influences from the bottom up and the top
down. Actionable insights can be gained by observing
how high up the chain of command specific challenges
and opportunities are circulated before they recede and
fade from the organization’s discourse.
In one instance, a local government client had a long-
standing relationship with a guard force services provider.
Although numerous questions had been raised regarding
the manner in which these services were provided,
the recommendation of opening that contract up for
competing bids was met with unexpected resistance.
Observing how far down the chain of command you can
go before the organization’s mission, core values and
governing principles are lost among employees is another
way to test resiliency. Policies surrounding key control,
piggybacking or vegetation management are just a few
topics that seem easier to approve in a conference room
WHITE PAPER / COST-WISE SECURITY MINDSET
© 2018 PAGE 4 OF 4
than to execute in practice. It is imperative that proper
attention be given to training staff and managers in the
policies and procedures necessary for making a given
technology effective. Enforcement measures and rewards
for personnel will be structured accordingly.
One client instituted a program of positive reinforcement
in which employees were encouraged to communicate
security vulnerabilities that they observed in the
workplace. Participants received direct feedback in
person from the director of security in front of their
peers, even receiving a simple and inexpensive token
of appreciation and a signed certificate. It was not
uncommon for these certificates to be found in office
spaces throughout the facility, setting a positive tone
that encouraged an “all hands” approach to driving
security throughout the business.
Above all, trust is paramount. Controlling and managing
risk requires open and positive communication,
responsiveness and accountability.
CONCLUSIONToday’s fast-changing security environment demands
that business leaders cultivate mindsets that
simultaneously track both evolving threats and
technological and digital advances.
Securing buy-in from stakeholders who hold the cards and
control the budget is necessary if the goal is to convert
new technologies into integrated, sustainable security
solutions. The ability to align resources and cultivate a
trustworthy team that exercises proper due diligence
is vital to the successful implementation of a holistic,
sustainable security strategy in any organization.
BIOGRAPHY
MICHAEL MONAHAN, CPP, is a section manager in
the Corporate Information Technology department
at Burns & McDonnell. He has more than 10 years
of experience with industrial facility design-build
requirements and security compliance requirements.
This comprised managing projects for government
and private sector clients, including municipal and
investor-owned utilities. Mike is an ASIS Board Certified
Protection Professional and has provided security
consulting and analysis services to a wide variety
of critical infrastructure clients, including security
system design and implementation management.
06
09
6-C
SM
-07
18