Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to avoid being the next Yahoo

Ryan Francis | Oct. 18, 2016
What questions should the CIO/CISO be asking network architects to stay secure.

It’s no longer about whether or not you’ll get attacked, it’s about knowing what the repercussions are and if you have the right controls to minimize or completely eliminate the fallout. In order to be able to do this effectively, you need be attuned with your network controls and architecture. Asking the right questions can get you there and also ensuring that network architects are aligned with business and security goals.

VArmour CEO Tim Eades offers a few questions decision makers should be asking to ensure they keep their organizations from being the next Yahoo.

If we were subject to a data breach, how would our controls and processes appear when described on tomorrow’s front page news? 

Why is this important?

This line of thinking is focused on stewardship and accountability for the infrastructure, products and services the firm offered. Are we iterating, are we staying up to date, are we seeking advice and learning from the experiences of others?

What should the answer be?

Controls and processes should be standardized and documented, staff trained/qualified to perform their duties and understand their roles and responsibilities. Independent internal auditors and external auditors are appropriate for the job. Also, regular testing responses to major incidents is important, as is working closely with vendors and industry experts to create, maintain and certify standards.

Red flags?

Half documented security standards that are not likely to get done. Also, lack of communication and a false sense of confidence can lead to huge problems.

What are our most critical and/or regulated applications and data systems?

Why is this important?

Identifying the most valuable environments enables appropriate controls to be put in place. These controls can then help identify malicious or anomalous behavior and spur the appropriate action. These systems can also be prioritized for remediation where controls don’t exist—particularly, important where there is a significant infrastructure sprawl.

What would we expect the answer to be?

Ideally there would be a system of record that includes dependencies backed with current and accurate data. The network team should be active in the process and ensure that they have risk assessed and the dependency mapping against network infrastructure.

What are the red flags?

We don’t know or don’t need to know because the network is fully resilient. We are aware of some of the critical assets. Or it hasn’t been maintained for some time.

Where and how are these critical systems connected?

Why is this important?

Knowing the answer to this question means that you have done something with the inventory data and stand half a chance of responding during some form of incident or as part of forward planning for remediation, investing and improvement.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.