Information security main goal is to protect your company against threats. Confidentiality, Integrity and Availability, some criteria of information. In this triangle security experts working on SIEM, Vulnerability Testing, application security testing, data privacy, network security and so on. Everything is seeing it well here. If a hacker doesn’t attack it’s okay and your company is secure. Or if all your employers and stakeholders are aware of security and there is no information outside the company it is ok. Business is secure!
Are we sure that all our security countermeasures can protect business outside?
Today war is not passive. Active cyberwar had already been started. We must protect our business outside, not only inside too.
Security experts work to protect data, system, service or employers. But no one work to protect the value of the business. All the data is secure, all the systems are available, and architecture looks good. But how is the brand? How is the market campaigns? How is the competition, environment and politics?
Information Security: Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or at least reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents (Wikipedia).
Information Security refers to the processes and methodologies which are designed and implemented to protect the print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption (SANS).
We can see that information security is about protection information. It indicates passive war or defence.
Value is a combined indicator with objectives and assets. So it includes assets of the business such as information, infrastructure, fund and people and more.
Today’s security experts must focus business value as the top level.
· Information Security
· Stakeholder Security
· Resource Security
· Brand Security
· Capability Security
Security experts must fight outside the company, dark web, social media and newspaper. We are not talking about cyber intelligence. More than cyber intelligence, active war and proactive measurement and improvement business environment.
Let’s detail Value Security;
Information Security: Explained above that it is about protecting information. In today’s world or digital age Information (or data) is the most important asset of the business. So we must protect it, ensure its integrity, availability and confidentiality.
Stakeholder Security: It means that stakeholder’s comfort and physical safety is a security issue. Because uncomfortable stakeholders can be a threat at inside or outside. Current and past employees, suppliers, shareholders and customers must feel secure and comfortable at relationships with our business. If not they can be a threat. Security experts must observe and implement security controls to protect the business journey.
Resource Security: if the business is not a non-profit business, every company first aim is to earn money, more effective budget, least cost and highest profit. Both internal and external processes, resource security controls must be implemented to prevent abuse, fraud and privacy. Inside the company processes, application controls and ethics, outside the company suppliers, shareholders and customers relationship funds must be observed for fraud and privacy.
Brand Security: Brand’s value is talked so much today. It is very important for marketing, profit ratio and customer happiness. So it must be protected outside (dark web, social media and news …etc). So brand must be observed from security perspective and countermeasures must be implemented to protect it. Surfing at the dark web to detect threats, control staff and other stakeholder’s behaviour about the brand.
Capability Security: Capability is everything, including talent, organizational scheme, processes and more. It is the main enabler of the business. So it must be protected by controls and improvements too. Competitor’s capability can be a threat to our business capability? Is our capability is safe at changing business world? Capability confidentiality controls, availability of the current capability and integrity of capability components with enterprise architecture are the main focus are capability security.
All these are enablers for value. So to protect value, these enablers must be protected. For every enabler, protection controls can be different. For example; information security controls are; confidentiality, integrity and availability. But for the Brand Security, you don’t need to implement confidentiality controls and should implement measurability controls. Or for criticality, you should efficiency controls plus CIA controls.
*These control types are an example, for every company the framework must be tailored and controls should be categorized to be sure enough secure business environment.
All these controls must be inside and outside controls. Security experts must increase resilience inside corporate and must decrease the threats outside the corporate. With this type of framework alignment of security and ERM (Enterprise Risk Management) can be more efficient so security can focus on the corporate value.