Securing business data

Blog Item

Assurance vs Accreditation

by Giulia Foss | Apr 04, 2018

shutterstock_1047662398

We’re living in a very fast moving and ever-changing world. A world where cyber security (or the lack of it) is main stream, daily news. Market and technology developments have opened growing opportunities for criminal activity.

2017 was, to say the least, an interesting year for all things cyber, we saw some of the biggest attacks in recent history, with millions of consumers and thousands of businesses affected by everything from the WannaCry attack to the TalkTalk and Uber data breaches:

Assurance vs Accreditation

Cyber security now IS the issue on every business leaders mind; how do they defend themselves from falling victim to a breach? How can they guarantee consumers that their assets will remain protected from that next security attack? The effect on those businesses who have suffered a major breach tend to be so substantial that share price, brand, reputation and long-term profitability can be seriously weakened.

That’s not to say there isn’t methods to lessen the burden; there’s various certification schemes out there that are designed to alleviate concerns such as PCI-DSS, ISO27001 and Cyber Essentials.

The only problem with these is that cyber services versus cyber security needs evolves just too rapidly nowadays and many certification programs (but not all I might add) only require the “tick in the box” annually; they are essentially providing a guarantee that at a certain point in time the security posture of a service or environment was in an accredited state. What about the rest of the year?

Personal experience as an accreditor/auditor and the fact that so many accredited businesses do still suffer breaches leads me to the point that many of them do, what can be best as described as “the minimum”, to get that tick in the box; they get their certificate and return to it 11 months later.

To combat these issues and to meet the supersonic pace of cyber security demands a much more flexible model of assurance is required; one that focuses on risk management, regular risk treatment and continuous risk reduction; in short, going beyond cyber security certification and maintain the security posture on an-going basis.

By conducting proper risk management (as many of the certification programmes do dictate) you introduce a suite of continuous and iterative activities throughout the cyber security lifecycle that requires validation or approval gateways and practical mitigation strategies. Mitigations (or risk treatments) include design principles, technical controls, policy dictation and procedure controls. If these are (religiously) adhered to, they will actively reduce risks to acceptable levels of a given solution.

To deploy a workable risk management process the security assurance framework that accompanies it must be:

  • In line with business and operational requirements and include senior management (get their buy in);
  • Validate identified controls;
  • Ensure those controls are implemented correctly;
  • Ensure regular reviews so that risks are identified, assessed, managed and reported.
  • Include risk treatment plans that include the involvement of technical architects and project managers
  • Include a risk reduction process in the form of supporting evidence (such as blueprint designs)

Should such a framework be adhered to a secured assured status is continuous if or when comes to certification the panic to prove that systems are in a fit and proper state will not be rushed and the business in question can be seen to be offering quantitatively managed of cyber security maturity.


CL_20170302_CNS_Paul_Rose-13

Paul Rose, CTO & Head of Consultancy, CNS Group

   


About me:
With over 20 years’ experience in the cyber security sector, I have been responsible for developing the security element of CNS Group’s offering.  As a Security Information Assurance Architect, Design Authority and Lead Auditor, I deliver successful projects and programmes into public sector organisations, whilst maintaining security to HMG (Blue light services, NHS, Local and Central Government) PCI (PCI QSA) and ISO standards.

Prior to CNS Group, I worked as a Security Consultant, notably working with Nat West, pioneering confidential online banking processes. 
My first experience of working in security, was in the Royal Navy for over 10 years, where I learnt about the importance of security and encryption methods in military communications
.
























call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere