What stood out to me in this chapter is the view of users. Throughout my career, I have come across many users whose job description did not contain any cyber security related items. Yet the authors pointed out that the end-users are often the first ones to see security related issues, such as a phishing attempt. If we train our end users to the extension for which the infosec team is responsible and enable them to have the ability to communicate and report any suspicious activity, the organization’s security posture will be greatly increased.
Xidou, I agree with you that this was an interesting point. Having trained and knowledgeable end-users with at least a basic awareness of security threats and how to report them can really strengthen the security posture of an organization. I thought the Chapter also made another interesting point about users. It talked about how the vision of users should be positive. I’ve interacted with so many IT and security professionals in different organizations who are demeaning to end-users and assume they are “stupid”. If there is a positive tone and message of collaboration and security professionals and end users can work well together, this will also promote a stronger security posture.
A key concept of this chapter is security management and how difficult it is to keep an organization secure long term without good security management practices such as annual planning, handling incidents, process of planning, etc. Ultimately, organizations need to attempt to close all possible attack routes for a system which can be difficult because some security components need to seamlessly work together to successfully mitigate attacks and the weakest-link tends to be humans. Humans may configure security settings incorrectly or negligence of not checking logs and a single failure of security could allow an attack to be successful. A good security management process is the plan-protect-respond cycle which allows security to improve constantly so they may achieve comprehensive security across the organization.
You bring up a good point that robust security is not a “set it and forget it” type of thing. You can’t just make some policies, install a firewall, and never worry about it again. It’s a never-ending process that organizations need to manage. That’s why the book brings up the plan-protect-respond cycle. Organizations need to monitor their environments, check their controls, do policy reviews, and so much more. Risks and threats change all the time. As you point out, you’re also not going to become a very secure organization overnight. It’s something you have to work at and hopefully keep improving annually.
Very good point Nicholas. More focus is put on technology than management, which is a “mistake”. Although the technological side is very important, security management is key in implementing information security to protect the organization’s ability to function and protect technology assets. Proper steps taken by the organization can
also protect their information by maintaining privacy and prevent vulnerability attacks.
One of the key points I took from this reading was the relationship the IT security department has with many other departments. When people think of Cybersecurity they do not think it is a job that works mostly alone but they have special relationships with many other units in the firm. The ethics, compliance, and privacy team has to work closely with the IT security team to ensure compliance and security are protected by IT implementations such as firewalls, anti-virus, computer-use policies, password requirements etc. Human resources also works closely with IT security because they are in charge of onboarding employees and implementing security trainings. They are also in charge of hiring and termination so it is a requirement for HR to screen the right people in order to protect the company’s data, and also follow the most secure protocols for hiring and firing. The legal department goes hand in hand with IT security especially when there is a security breach, they also make sure IT securities are in compliance with the law. IT security can work closely with any auditing department as an insider to make sure there is no fraud going on. Facilities also work hand in hand with IT security because they deal with physical security using ID scanning, security cameras, revolving doors, etc. Overall, although is a newer addition to most companies, it has become one of the most important department and one that works closely with almost all departments.
Hi Quynh – I agree that it’s important to recognize how integrated the information security group must be with other departments in an organization. I think the average person thinks of cybersecurity as a group that stands in the way of the interests of the rest of the organization, but many other groups rely on information security heavily to ensure their own processes run smoothly.
This chapter concluded with a discussion of some popular governance frameworks such as COSO, Cobit and IOS 27002. These frameworks help companies by providing a systematic way of approaching IT security planning, implementation, monitoring, and progressive improvement. COSO as an example, divides its control object into eight components, including Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and communication, and Monitoring. These components work to establish the foundation for internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. In addition, the entire system of internal control is monitored continuously, which mean most problems will be addressed timely.
I agree the explanation on the different frameworks was a very good explanation. The reading helped me consider and understand better so i can use examples professionally
Managing risk is the main goal in the business realm. It is always appears that IT professionals’ goal is to eliminate it completely which is not practical. The more realistic approach for businesses would be the reasonable risk method; to maintain risk that concerns the information systems it processes and stores. This is why security management is more essential than security technology.
Hi Christopher. Great point there, I agree, managing risk is the main goal in business. Organizations not only do they need to increase/maintain revenue, profit and shareholder value, but they also need to manage risk. In today’s world, risk is everywhere and data breach risk appears to be more impactful to a business than ever before. The best way to reduce or mitigate this type of risk is by using the frameworks outlined in this week reading assignment Chapter 8, such as the COSO, Cobit, and IOS 27002 frameworks to manage risk.
A key takeaway is ensuring that there is management buy in for security planning and processes. This ensures that adequate funding is provided as necessary to prioritize and protect information assets. It also sets the “tone at top” which aids in creating and maintain a security aware culture throughout the entity.
I couldn’t agree more. As ITACS students within the business school, we should be constantly reminding ourselves that everything we do should always be tied back to providing value for the business. While funding is important and necessary to provide value, inversely, we shouldn’t be providing more security than necessary. In the same way you wouldn’t buy a $1000 safe to protect $100, you wouldn’t pay $1000 for a server to only protect $100 worth of information.
The key point that stood out to me from this reading was the very first part of the chapter which stated the quote about security being a process and not a product. A lot of the exciting part of security is the technology and not the governance, planning, and policy aspects of it. But if you do not get those elements right, then even the best technology cannot make for an effective security program.
Hi Megan, I think you’re completely correct. I also think the designation of security as a process over a product speaks to how the security process is never over. You must consistently be reinventing and redesigning security, regardless of whether you are in the beginning, middle, or ending of the process.
In order to have the best planning and defense in the firm, the IT security department has to develop a productive and good relationship with all other business functions departments, such as the human resource department, legal department, auditing, facilities management, ethic, compliance, and privacy officers. IT security professionals must learn to speak other departments’ languages to understand their situations and have good communication with them. Security should also accompany policies with financial benefit analyses and realistic business impact statements. Understanding how security may affect the company and its goals is more important than having excellent technical knowledge.
My key takeaway from this reading was the discussion on viewing security as an enabler, not a source of frustration. When security is seen as an issue, organizations spend their time trying to fix problems instead of more productive activities. When viewed as an enabler, organizations can focus more on what they do best, instead of always trying to play catchup with their security.
I think one of the most important sentences of the chapter is the following: “Security management, however, is far more important than security technology.” It seems like some organizations think of IT/information security as an almost purely technical problem. They throw their money at the latest firewall or best antivirus software and don’t understand why incidents still happen. The organization with the latest, greatest, most expensive security technology is not automatically the most secure. It starts with administrative controls, which is security management. Policies and procedures have to be in place. Employees have to be trained. There needs to be organizational support. It’s a lot of moving parts and complementary aspects that need to work together.
Jonathan, this is an excellent point! Administrative controls is one the most important control an entity could implement when it comes to information security. The most robust technical controls (IDS, IPS, Firewalls, etc.) could easily be negated by the actions or inactions of employees. It is therefore crucial to establish SETA policies to ensure comprehensive security management.
A key point from this text that stood out to me was the section that tackled the question: “Should you place security within IT?”. The text provided suggestions on how to determine whether the CSO and security department should reside inside or outside the corporate IT unit. The benefits of placing security within IT include shared technical skill, CIO accountability for security breaches, and ease of security changes. The benefits of placing security outside of IT include independence from IT and broader security measures, though this limits IT functions and accountability. The text, however, notes that most analysts recommend security existing outside of the IT department since independence is essential. I found this strange at first, since it seemed that most of the benefits resided in having IT and security in the same department. However, I think the most important thing to note here is that a large portion of security incidents happen within the IT department, whether that be intentional breaches or unintentional. Since the “demand” for security typically falls heavily in that area, it is essential that there are security departments that are independent of the IT department.
I was interested in the section considering where the security or IT security departments should be placed in the corporate structure. In the organization I work for, the information security group is part of IT Services, and the CISO reports directly to the CIO. This has always made sense to me, because it allows the information security group to interface directly with the IT operations group so that infrastructure changes and day-to-day activities can meet the security requirements dictated by security. However, it also is logical that the security group might be located outside of the IT reporting chain. This would allow them to operate more independently, and enables them to investigate or report security incidents involving IT management in ways that may not be possible if they are part of the IT department.
Like you said, I lean more towards the setup where information security group lies within IT Services. The company I work for does that as well. But, I do see the point for it being external as well. It is good to have checks and balances in any work group, so having an impartial IS Security team located outside of IT may help break through some of the political challenges many companies have.
One of the key takeaways I had was related to compliance with regulations. The sentences that stood out to me were, “Driving forces are things that require a firm to change its security planning, protections and response. Perhaps the most important set of driving forces for firms today are compliance laws and regulations, which create requirements for corporate security.”
You have to be very agile in today’s dynamic environment and not only worry about threats and vulnerabilities, but how will changes to laws and regulations impact the organization’s current environment. Factors such as cost, resources, and re-engineering processes can be time consuming and costly for organizations. However, protecting the public is more important and data privacy is paramount. The C-Suite and the Board of Directors bear the responsibility to stakeholders to ensure compliance with privacy laws and regulations, setting a good tone at the top. Another worry is if an organization is international and there are different regulations between countries that may not align. In this case, the best practice is to adhere to the most restrictive set of laws, so the entire organization is covered and there is consistency.
One of the main points that grabbed my attention in Chapter 2 was the governance framework section. Chapter 2 focused on the Plan, Protect and Respond Cycle of IT management. As part of the planning phase, an IT auditor should make sure he or she is understanding and analyzing accurately the threats, vulnerabilities, and risk the company may face in the future. I found that the COBIT framework outline on page 140, very insightful and helpful for planning an IT security plan. COBIT has four cycles described at
– Plan and Organize: Strategic IT Planning and creation of corporate info. the architecture of specific projects
– Acquire and Implement: Organizations need to acquire and implement info systems
– Deliver and Support: Most of the IT projects’ life takes after implementation
– Monitor and Evaluate: Firms must monitor their process and evaluate the adequacy of internal controls, obtain independent assurance and provide independent auditing.
My key takeaway from this chapter is how it talks about how the IT department has to cooperate with every LOB in order to be truly successful. As IT Auditors, we understand that we are the final line of defense before it reaches the regulators. In order to have a truly successful cyber approach, all three lines need to engage in best practices. Cyberthreats aren’t only some masked individual in a dark room aggressively typing away. More often than not, it could be something as simple as social engineering. It is important the IT department coordinates with all LOB’s to make sure that the first-line is equipped enough to handle these sort of threats before a larger response is required.
I liked the conversation describing COSO, COBIT and ISO 27001. It was very interesting to reflect on these examples and correlate to real life. Were i used to work was a COSO shop, i am attempting to implement at my current employer and it is a challenge. This article gave me some help on how i can explain the framework and reasons why it should be considered.
Xiduo Liu says
What stood out to me in this chapter is the view of users. Throughout my career, I have come across many users whose job description did not contain any cyber security related items. Yet the authors pointed out that the end-users are often the first ones to see security related issues, such as a phishing attempt. If we train our end users to the extension for which the infosec team is responsible and enable them to have the ability to communicate and report any suspicious activity, the organization’s security posture will be greatly increased.
Megan Hall says
Xidou, I agree with you that this was an interesting point. Having trained and knowledgeable end-users with at least a basic awareness of security threats and how to report them can really strengthen the security posture of an organization. I thought the Chapter also made another interesting point about users. It talked about how the vision of users should be positive. I’ve interacted with so many IT and security professionals in different organizations who are demeaning to end-users and assume they are “stupid”. If there is a positive tone and message of collaboration and security professionals and end users can work well together, this will also promote a stronger security posture.
Nicholas Fabrizio says
A key concept of this chapter is security management and how difficult it is to keep an organization secure long term without good security management practices such as annual planning, handling incidents, process of planning, etc. Ultimately, organizations need to attempt to close all possible attack routes for a system which can be difficult because some security components need to seamlessly work together to successfully mitigate attacks and the weakest-link tends to be humans. Humans may configure security settings incorrectly or negligence of not checking logs and a single failure of security could allow an attack to be successful. A good security management process is the plan-protect-respond cycle which allows security to improve constantly so they may achieve comprehensive security across the organization.
Jonathan Mettus says
You bring up a good point that robust security is not a “set it and forget it” type of thing. You can’t just make some policies, install a firewall, and never worry about it again. It’s a never-ending process that organizations need to manage. That’s why the book brings up the plan-protect-respond cycle. Organizations need to monitor their environments, check their controls, do policy reviews, and so much more. Risks and threats change all the time. As you point out, you’re also not going to become a very secure organization overnight. It’s something you have to work at and hopefully keep improving annually.
Christopher Clayton says
Very good point Nicholas. More focus is put on technology than management, which is a “mistake”. Although the technological side is very important, security management is key in implementing information security to protect the organization’s ability to function and protect technology assets. Proper steps taken by the organization can
also protect their information by maintaining privacy and prevent vulnerability attacks.
Quynh Nguyen says
One of the key points I took from this reading was the relationship the IT security department has with many other departments. When people think of Cybersecurity they do not think it is a job that works mostly alone but they have special relationships with many other units in the firm. The ethics, compliance, and privacy team has to work closely with the IT security team to ensure compliance and security are protected by IT implementations such as firewalls, anti-virus, computer-use policies, password requirements etc. Human resources also works closely with IT security because they are in charge of onboarding employees and implementing security trainings. They are also in charge of hiring and termination so it is a requirement for HR to screen the right people in order to protect the company’s data, and also follow the most secure protocols for hiring and firing. The legal department goes hand in hand with IT security especially when there is a security breach, they also make sure IT securities are in compliance with the law. IT security can work closely with any auditing department as an insider to make sure there is no fraud going on. Facilities also work hand in hand with IT security because they deal with physical security using ID scanning, security cameras, revolving doors, etc. Overall, although is a newer addition to most companies, it has become one of the most important department and one that works closely with almost all departments.
Mitchell Dulaney says
Hi Quynh – I agree that it’s important to recognize how integrated the information security group must be with other departments in an organization. I think the average person thinks of cybersecurity as a group that stands in the way of the interests of the rest of the organization, but many other groups rely on information security heavily to ensure their own processes run smoothly.
Wei Liu says
This chapter concluded with a discussion of some popular governance frameworks such as COSO, Cobit and IOS 27002. These frameworks help companies by providing a systematic way of approaching IT security planning, implementation, monitoring, and progressive improvement. COSO as an example, divides its control object into eight components, including Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and communication, and Monitoring. These components work to establish the foundation for internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. In addition, the entire system of internal control is monitored continuously, which mean most problems will be addressed timely.
Michael Doherty says
I agree the explanation on the different frameworks was a very good explanation. The reading helped me consider and understand better so i can use examples professionally
Christopher Clayton says
Managing risk is the main goal in the business realm. It is always appears that IT professionals’ goal is to eliminate it completely which is not practical. The more realistic approach for businesses would be the reasonable risk method; to maintain risk that concerns the information systems it processes and stores. This is why security management is more essential than security technology.
Elias Harake says
Hi Christopher. Great point there, I agree, managing risk is the main goal in business. Organizations not only do they need to increase/maintain revenue, profit and shareholder value, but they also need to manage risk. In today’s world, risk is everywhere and data breach risk appears to be more impactful to a business than ever before. The best way to reduce or mitigate this type of risk is by using the frameworks outlined in this week reading assignment Chapter 8, such as the COSO, Cobit, and IOS 27002 frameworks to manage risk.
Lakshmi Surujnauth says
A key takeaway is ensuring that there is management buy in for security planning and processes. This ensures that adequate funding is provided as necessary to prioritize and protect information assets. It also sets the “tone at top” which aids in creating and maintain a security aware culture throughout the entity.
Panayiotis Laskaridis says
Hi Lakshmi,
I couldn’t agree more. As ITACS students within the business school, we should be constantly reminding ourselves that everything we do should always be tied back to providing value for the business. While funding is important and necessary to provide value, inversely, we shouldn’t be providing more security than necessary. In the same way you wouldn’t buy a $1000 safe to protect $100, you wouldn’t pay $1000 for a server to only protect $100 worth of information.
Megan Hall says
The key point that stood out to me from this reading was the very first part of the chapter which stated the quote about security being a process and not a product. A lot of the exciting part of security is the technology and not the governance, planning, and policy aspects of it. But if you do not get those elements right, then even the best technology cannot make for an effective security program.
Taylor Trench says
Hi Megan, I think you’re completely correct. I also think the designation of security as a process over a product speaks to how the security process is never over. You must consistently be reinventing and redesigning security, regardless of whether you are in the beginning, middle, or ending of the process.
To-Yin Cheng says
In order to have the best planning and defense in the firm, the IT security department has to develop a productive and good relationship with all other business functions departments, such as the human resource department, legal department, auditing, facilities management, ethic, compliance, and privacy officers. IT security professionals must learn to speak other departments’ languages to understand their situations and have good communication with them. Security should also accompany policies with financial benefit analyses and realistic business impact statements. Understanding how security may affect the company and its goals is more important than having excellent technical knowledge.
Charlie Corrao says
My key takeaway from this reading was the discussion on viewing security as an enabler, not a source of frustration. When security is seen as an issue, organizations spend their time trying to fix problems instead of more productive activities. When viewed as an enabler, organizations can focus more on what they do best, instead of always trying to play catchup with their security.
Jonathan Mettus says
I think one of the most important sentences of the chapter is the following: “Security management, however, is far more important than security technology.” It seems like some organizations think of IT/information security as an almost purely technical problem. They throw their money at the latest firewall or best antivirus software and don’t understand why incidents still happen. The organization with the latest, greatest, most expensive security technology is not automatically the most secure. It starts with administrative controls, which is security management. Policies and procedures have to be in place. Employees have to be trained. There needs to be organizational support. It’s a lot of moving parts and complementary aspects that need to work together.
Lakshmi Surujnauth says
Jonathan, this is an excellent point! Administrative controls is one the most important control an entity could implement when it comes to information security. The most robust technical controls (IDS, IPS, Firewalls, etc.) could easily be negated by the actions or inactions of employees. It is therefore crucial to establish SETA policies to ensure comprehensive security management.
Taylor Trench says
A key point from this text that stood out to me was the section that tackled the question: “Should you place security within IT?”. The text provided suggestions on how to determine whether the CSO and security department should reside inside or outside the corporate IT unit. The benefits of placing security within IT include shared technical skill, CIO accountability for security breaches, and ease of security changes. The benefits of placing security outside of IT include independence from IT and broader security measures, though this limits IT functions and accountability. The text, however, notes that most analysts recommend security existing outside of the IT department since independence is essential. I found this strange at first, since it seemed that most of the benefits resided in having IT and security in the same department. However, I think the most important thing to note here is that a large portion of security incidents happen within the IT department, whether that be intentional breaches or unintentional. Since the “demand” for security typically falls heavily in that area, it is essential that there are security departments that are independent of the IT department.
Mitchell Dulaney says
I was interested in the section considering where the security or IT security departments should be placed in the corporate structure. In the organization I work for, the information security group is part of IT Services, and the CISO reports directly to the CIO. This has always made sense to me, because it allows the information security group to interface directly with the IT operations group so that infrastructure changes and day-to-day activities can meet the security requirements dictated by security. However, it also is logical that the security group might be located outside of the IT reporting chain. This would allow them to operate more independently, and enables them to investigate or report security incidents involving IT management in ways that may not be possible if they are part of the IT department.
Charlie Corrao says
Hi Mitchell,
Like you said, I lean more towards the setup where information security group lies within IT Services. The company I work for does that as well. But, I do see the point for it being external as well. It is good to have checks and balances in any work group, so having an impartial IS Security team located outside of IT may help break through some of the political challenges many companies have.
Christa Giordano says
One of the key takeaways I had was related to compliance with regulations. The sentences that stood out to me were, “Driving forces are things that require a firm to change its security planning, protections and response. Perhaps the most important set of driving forces for firms today are compliance laws and regulations, which create requirements for corporate security.”
You have to be very agile in today’s dynamic environment and not only worry about threats and vulnerabilities, but how will changes to laws and regulations impact the organization’s current environment. Factors such as cost, resources, and re-engineering processes can be time consuming and costly for organizations. However, protecting the public is more important and data privacy is paramount. The C-Suite and the Board of Directors bear the responsibility to stakeholders to ensure compliance with privacy laws and regulations, setting a good tone at the top. Another worry is if an organization is international and there are different regulations between countries that may not align. In this case, the best practice is to adhere to the most restrictive set of laws, so the entire organization is covered and there is consistency.
Elias Harake says
One of the main points that grabbed my attention in Chapter 2 was the governance framework section. Chapter 2 focused on the Plan, Protect and Respond Cycle of IT management. As part of the planning phase, an IT auditor should make sure he or she is understanding and analyzing accurately the threats, vulnerabilities, and risk the company may face in the future. I found that the COBIT framework outline on page 140, very insightful and helpful for planning an IT security plan. COBIT has four cycles described at
– Plan and Organize: Strategic IT Planning and creation of corporate info. the architecture of specific projects
– Acquire and Implement: Organizations need to acquire and implement info systems
– Deliver and Support: Most of the IT projects’ life takes after implementation
– Monitor and Evaluate: Firms must monitor their process and evaluate the adequacy of internal controls, obtain independent assurance and provide independent auditing.
Panayiotis Laskaridis says
My key takeaway from this chapter is how it talks about how the IT department has to cooperate with every LOB in order to be truly successful. As IT Auditors, we understand that we are the final line of defense before it reaches the regulators. In order to have a truly successful cyber approach, all three lines need to engage in best practices. Cyberthreats aren’t only some masked individual in a dark room aggressively typing away. More often than not, it could be something as simple as social engineering. It is important the IT department coordinates with all LOB’s to make sure that the first-line is equipped enough to handle these sort of threats before a larger response is required.
Michael Doherty says
I liked the conversation describing COSO, COBIT and ISO 27001. It was very interesting to reflect on these examples and correlate to real life. Were i used to work was a COSO shop, i am attempting to implement at my current employer and it is a challenge. This article gave me some help on how i can explain the framework and reasons why it should be considered.