By Dr. Brett Miller, Faculty Member, Intelligence Studies, at American Military University
*This article is part of In Public Safety’s October focus on National Cyber Security Awareness Month*
Security breaches in the business world have become commonplace and can have a catastrophic impact on the organization’s people, data, and brand reputation.
True security can only be realized through a comprehensive active approach that incorporates resources throughout the organization. There simply is not a silver bullet that can provide adequate security. However, a company can work to protect itself by incorporating proactive security measures that involve the entire organizational hierarchy.
Security Through Active Prevention Strategy
The Security Through Active Prevention (STAP) framework is a holistic approach that utilizes an organization’s resources while taking into consideration the company’s distinctive needs and requirements. The STAP framework consists of four pillars:
- Organizational culture
- Administrative activities
- Security attentiveness
- Active monitoring
Addressing each of these aspects in a comprehensive way will significantly reduce the likelihood of a breach.
Addressing Organizational Culture
Developing a security-based culture takes time. Like all things associated with organizational change, it starts at the top. Many organizations layer their information security (IS) team at low levels in the overall organizational hierarchy. Placing the IS team in the bowels of the company conveys a message to the workforce that information security is not of the utmost importance.
The most effective way to prioritize information security is to create a position of Chief Information Security Officer (CISO). Leaders should create channels for communication about this position and the role of the IS team.
The more IS can be talked about, the more relevant it will become to the workforce. Organizations should develop weekly or monthly security newsletters and other information about current and real-world security breaches to keep the workforce informed and help keep information security top-of-mind.
It’s also important to enlist the workforce’s help because security is the responsibility of all employees. Organizational leaders should look for ways to reward those who have contributed to the overall security of the organization to help build a security-centric organization.
There are a vast number of administrative activities that an organization can put into place to address security concerns. However, the success of such activities depends on the company’s ability to implement policies and procedures to ensure adherence and review these policies to ensure they are effectively meeting the needs of the organization. There is no benefit to putting a policy in place if there is no adherence to that policy.
One of the most effective methods to enhance security is through security training and awareness. The type of training and the reoccurrence of such training depends on the employees’ roles and responsibilities. For example, an employee who is a general user should be required to take basic awareness training on a yearly basis. However, those with greater access to organizational data should be required to take more in-depth training.
Executives should develop base-level standards for all employees operating in the security arena. There are a multitude of commercial certifications that employees can pursue. Organizations should determine which certifications meet the needs of the organization.
Security must be included in the design, development, and implementation of all systems throughout the organization’s infrastructure. Legacy systems must either be updated to include security components or be decommissioned and replaced with new systems that have stronger security measures.
Fortunately, the National Institute of Standards and Technology (NIST) has developed a sound framework on which to ensure security is brought into the fold through a system’s lifecycle. NIST’s Risk Management Framework (RMF) provides a great starting point for organizations looking to incorporate security into their organization’s information technology projects.
Research has shown that the most important security measure is the length of time it takes to determine that a breach has occurred. Real-time activities across the infrastructure to detect, monitor, and analyze what’s taking place on the network is crucial to early intrusion recognition. Additional functions such as account and documentation management, system testing and remediation, and threat awareness should all be incorporated into a system and/or organizational-level monitoring program.
While security can never be guaranteed, organizations can minimize the threat by taking a comprehensive and proactive approach. When organizations follow calculated steps to incorporate security in every aspect of operations, executives can significantly reduce the risk and likelihood of a security breach.
About the Author: Dr. Brett Miller is an intelligence professional having spent 20+ years within the national intelligence apparatus supporting mission-critical initiatives impacting national and international security. Additionally, Dr. Miller spent 8+ years as an educator teaching university-level courses in National Security, Homeland Security, Intelligence, Cyber, and Information Assurance. Dr. Miller holds a PhD in Business Administration, Masters of Strategic Studies, M.S. in Telecommunications and Computers, M.S. in Information Technology Systems Management, and a B.S. in Computer Science from Park University. He is a certified Intelligence Community Officer and a graduate of two of the Department of Defense’s most prestigious leadership programs: The U.S. Army War College and the Defense Leadership and Management Program (DLAMP). You can follow Dr. Miller on Twitter: @DrBrettAMiller