Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm.
In my last post, I discussed how hackers choose their targets and the steps that companies can take to reduce that risk. I’d like to continue this thought stream by offering a slightly different view on how we as security and risk professionals should be responding. I call it Counter Competitive Intelligence (CCI), though CI professionals may disagree with that name.
CCI has two major advantages:
First, it forces you to understand your own business. We’re not simply looking for how your company generates revenues but what the supporting business operation looks like as well. This analysis forces us to build security as a business risk and not merely as a technology driven risk.
Second, this process assists us in offering business enabling security/risk structures instead of gate-keeping structures. You know the structures I mean, where we security and risk professionals are seen as the team that always says “no” to various lines of business (gatekeepers).
Combined, these two advantages of CCI enable unit heads within an enterprise to view us as business partners.
So how do we accomplish this miracle of security/risk management? Through seven key steps:
1. Conduct competitive intelligence (CI) on your own company. CI is a well-known and well-respected part of doing business, enabling you to understand your market, customer demographics, competitors, and political climate. Start with your competitors, and then look at your own company, building a competitive profile that includes your firm’s strengths, weaknesses and growth areas. Who are the movers and shakers in the enterprise and what various lines of business does your company pursue? Read the past couple of annual reports to study your company’s financial health, top management changes, and strategic direction.
2. Now that you have taken a fresh look at your business, focus on the amount and location of information that is publicly available about the company. Was the information found with a simple search query or did you find it on an employee’s blog posting? What information is getting out in places such as Yahoo’s financial chat rooms? Conducting operational analysis here can lead to some breathtaking insight on unintended information loss.
3. Next, understand whether active disinformation is being used. Some companies seed chat rooms and blogs with misleading information to throw off CI professionals from their competitors. The best advice here is to verify your sources and look for other evidence to support your conclusions.
4. Now for the response process. Start by asking if a new policy might help in guiding employees while preventing critical data leakage. While many companies have created policies concerning social media sites for just this reason, a great number of them fail to realize that “old school” chat rooms and discussion boards are still being used to damaging effect.
5. Ask yourself, can we modify our business processes to mitigate these leakage points? Should we implement SSL between our business partners? Do we update our contracts to include explicit language about third party information disclosure? Should we have a formal review process for all conference sessions given by our employees?
6. Other questions to explore: can you leverage existing business/security/risk technology to help mitigate information leakage? Have you considered using your anti-virus policy server to conduct application audits or assist in investigations? Anti-virus servers touch nearly every endpoint on your system and contain a wide range of workstation information. How about using your security operation center event data stream to give feedback on business application usage (type and location) and perhaps create an improved business process?
7. Finally, review new technologies both near and mid-term that may assist you in mitigating information loss. Data leakage protection or content protection, enterprise digital rights management or encryption products are some examples.
I will not pretend that this is an easy process. In fact, the first time I really tackled CCI it took me four years to build the business relationships required in-house to accomplish this process. The payoff, however, was that we became the “go-to” security organization for business enabling architecture.
The process does work, and security and risk professionals find themselves hailed as heroes when it does.
Lastly, click here to download my white paper, Security as Business Risk: How Data Breaches Impact Bottom Lines. Security is a business risk which must be accounted for in every organization’s enterprise risk management plan. This white paper illustrates how to view data breaches from a business risk perspective by using real world examples and the major consequences of these breaches.