Tech,Space,Gaming, and Science Fiction News to wet your whistle
Why a Business-Focused Approach to Security Assurance Should Be an Ongoing Investment
How secure is your organization's information? At any given moment, can a security leader look an executive in the eye and tell them how well business processes, projects and supporting assets are protected?
Security assurance should provide relevant stakeholders with a clear, objective picture of the effectiveness of information security controls. However, in a fast-moving, interconnected world where the threat landscape is constantly evolving, many security assurance programs are unable to keep pace. Ineffective programs that do not focus sufficiently on the needs of the business can provide a false level of confidence.
A Business-Focused Approach
Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. Unfortunately, there is often a significant gap between aspiration and reality.
Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses.
Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are. It requires a broader view, considering the needs of multiple stakeholders within the organization.
Business-focused security assurance programs can build on current compliance-based approaches by:
Identifying the specific needs of different business stakeholders
Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
Reporting on security in a business context
Leveraging skills, expertise and technology from within and outside the organization
A successful business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should energetically engage with each other to make sure that requirements are realistic and expectations are understood by all.
A Change Will Do You Good
The purpose of security assurance is to provide business leaders with an accurate and realistic level of confidence in the protection of 'target environments' for which they are responsible. This involves presenting relevant stakeholders with evidence regarding the effectiveness of controls. However, common organizational approaches to security assurance do not always provide an accurate or realistic level of confidence, nor focus on the needs of the business.
Security assurance programs seldom provide reliable assurance in a dynamic technical environment, which is subject to a rapidly changing threat landscape. Business stakeholders often lack confidence in the accuracy of security assurance findings for a variety of reasons.
Common security assurance activities and reporting practices only provide a snapshot view, which can quickly become out of date: new threats emerge or existing ones evolve soon after results are reported. Activities such as security audits and control gap assessments typically evaluate the strengths and weaknesses of controls at a single point in time. While these types of assurance activities can be helpful in identifying trends and patterns, reports provided on a six-monthly or annual basis are unlikely to present an accurate, up-to-date picture of the effectiveness of controls. More regular reporting is required to keep pace with new threats.
Applying a Repeatable Process
Organizations should follow a clearly defined and approved process for performing security assurance in target environments. The process should be repeatable for any target environment, fulfilling specific business-defined requirements.
The security assurance process comprises five steps, which can be adopted or tailored to meet the needs of any organization. During each step of the process a variety of individuals, including representatives from operational and business support functions throughout the organization, might need to be involved.
The extent to which individuals and functions are involved during each step will differ between organizations. A relatively small security assurance function, for example, may need to acquire external expertise or additional specialists from the broader information security or IT functions to conduct specific types of technical testing. However, in every organization:
Business stakeholders should influence and approve the objectives and scope of security assurance assessments
The security assurance function should analyze results from security assurance assessments to measure performance and report the main findings
Prioritize and select the target environments in which security assurance activities will be performed
Apply the security assurance process to selected target environments
Consolidate results from assessments of multiple target environments to provide a wider picture of the effectiveness of security controls
Make improvements to the security assurance program over time
An Ongoing Investment
In a fast-moving business environment filled with constantly evolving cyber threats, leaders want confidence that their business processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences.
Security assurance activities should demonstrate how effective controls really are – not just determine whether they have been implemented or not. Focusing on what business stakeholders need to know about the specific target environments for which they have responsibility will enable the security assurance function to report in terms that resonate. Delivering assurance that critical business processes and projects are not exposed to financial loss, do not leak sensitive information, are resilient and meet legal, regulatory and compliance requirements, will help to demonstrate the value of security to the business.
In most cases, new approaches to security assurance should be more of an evolution than a revolution. Organizations can build on existing compliance-based approaches rather than replace them, taking small steps to see what works and what doesn't.
Establishing a business-focused security assurance program is a long-term, ongoing investment.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
NextVR has been partnering with the NBA to livesream games for the last two years , and now it's going to cover the upcoming Finals. After each game, the service will upload free-to-watch highlights in a new high-resolution format to its dedicated NextVR app, which works with most virtual reality headsets. Those with higher-end VR gear like the HTC Vive Pro will be able to fully appreciate the higher-resolution format, according to a press release. The company's partnership with the NBA continues to be the only regular VR sports programming across all mainstream American sports (along with the occasional golf tournament ). via Engadget RSS Feed https://ift.tt/2JmjptE If New feed item from http://www.engadget.com/rss-full.xml , t
ASUS is moving further into the cryptocurrency hardware market with a motherboard that can support up to 20 graphics cards, which are typically used for mining . The H370 Mining Master uses PCIe-over-USB ports for what ASUS says is sturdier, simpler connectivity than other mining-focused motherboards. You can manage each port and graphics card with on-board diagnostics. One feature scans your system when you boot up to determine the status of each port, while there are onboard LEDs that signify a problem with components such as memory or the processor (there's space for an Intel 8th-gen Core CPU ). ASUS has added some other features to optimize mining as well. The H370 Mining Master follows last year's B250 Mining Expert, which had room for 19 CPUs via PCIe ports. ASUS says that board had far more sales than it expected, which prompted the company to keep t
I've been a big fan of Botnik Studios , the comedy group responsible for internet gems like the neural network-generated Coachella lineup poster containing bands like "Billions of Mario." They've been putting out consistently great parodies of Scrubs scripts , ads for beef , and handsome names for boats , each of them made using a predictive text keyboard. I was curious about what exactly this meant and how I, too, could utilize AI to create viral hits, so I called up Botnik Studios CEO and former Clickhole writer Jamie Brew to explain in the video above. Botnik has a browser-based Predictive Writer that you can load up with "voices", hence its name, Voicebox. It works in a similar way to your phone's predictive text, by suggesting a group... Continue reading… via The Verge - Tech Posts https://ift.tt/2LaYqr4