Information security management in a company. Where to start?
Author of the article: Artem Kulichkin, Head of Information Security of the group of companies
Information threats are becoming more sophisticated and this is a fact, information security management is becoming one of the key tasks of the company. For information security directors (CISO), building an effective security strategy requires deep analysis, thoughtful decisions and constant monitoring of the information security world. In this article, we will consider the main components of information security management in a company, including risk assessment, implementation of security policies, personnel training and the use of modern technologies.
1. Risk assessment
The first step towards successful information security management is a clear assessment of assets. The company needs to regularly audit its information infrastructure, identifying all assets, possible vulnerabilities and their priority. This process includes an analysis of existing assets, customer and employee data, as well as critical assets and business processes. The main goal is to understand and anticipate what threats may arise, how they may affect the company and what resources are needed to prevent them.
Risk assessment should be based not only on potential threats, but also take into account the probability of their occurrence and consequences – this is what they will write to us in books, but in reality everything is a little different. Intentionality and experience play a big role here. This helps to use resources more efficiently, taking into account both financial costs and possible reputational losses.
2. Development and implementation of security policies
Once you have completed an asset inventory and risk assessment, the next step is to develop clear security policies. Policies should cover all aspects of information security, from data protection methods and access control to rules for the use of corporate devices and remote work.
It is important that policies are not only written down in documents, but also implemented into the company's daily practice. To do this, it is necessary to regularly update and revise policies based on audit results, changes in legislation, and new threats. Moreover, each policy should have mechanisms for measuring its effectiveness, which will allow for further adjustments and improvements in protection. In an ideal world, the process of compliance with the unspoken information security policy should first be established, and then smoothly transferred to paper.
3. Training and education of safety culture
The next important aspect of information security management is staff training. People are often the most vulnerable part of a company's security system. Therefore, it is important not only to train employees in the basics of information security, but also to form a security culture in them. This includes understanding the threats, realizing the importance of complying with security policies and actively involved in supporting protective measures. A good practice in the form of a game with employees to promote cyber hygiene, for example, whoever has recognized more phishing gets to the top of the rating.
It is recommended to conduct regular trainings, seminars and attack simulations (e.g. phishing attacks) to increase employees' security awareness. The more knowledge and skills an employee has, the less likely a hacker is to successfully attack.
4. Process and technological solutions for information protection
People, technologies and processes play a key role in ensuring information security. Investments in modern IPS/IDS protection systems, SIEM, SOAR, antivirus programs, encryption tools and other security tools are a must for any company that cares about its security. Depending on the company's area of activity, these tools change their priority of importance. For example, in companies where confidentiality is a priority, it is important to implement DLP, and for business this priority is slightly different, closer to availability. Although it is clear that information security strives to protect all three aspects – confidentiality, integrity and availability, the latter is closer to IT, Disaster Recovery, proper architecture of information systems, etc. Corporate networks and devices must be protected by multi-level security systems (including network monitoring, intrusion detection systems and response to them), different circuits and VLANs to minimize risks or at least slow down the attacker, gaining time to respond.
It is also worth paying attention to the use of solutions based on artificial intelligence and machine learning, which does not yet exist. These technologies are capable of analyzing large amounts of data and identifying anomalies, which significantly speeds up the process of detecting threats. There is something similar called User and Entity Behavior Analytics (UEBA) – a technology for identifying cyber threats based on the analysis of user behavior. But this is just a frequency analysis of events and no miracles.
5. Monitoring and incident response
An equally important element of information security management is the system of monitoring and responding to incidents. The company should develop an algorithm for quickly responding to security incidents in order to minimize damage in the event of an attack. This includes the creation of incident teams responsible for promptly resolving problems, as well as having a clear plan of action in the event of an incident.
Regular testing and incident simulations will help check the team's readiness and identify weaknesses in the response process. It is important that the company is prepared not only to prevent threats, but also to eliminate them if they do occur. I have written here as superficially as possible, since this is a whole layer of information (perhaps your choice is to outsource SOC altogether), maybe I will write about this in the next article.
Conclusion
Information security management is an interesting and multifaceted process that requires attention, time and resources. However, given the modern threats and risks, companies simply need thorough and well-founded approaches to solving this problem.
Information security managers should be prepared not only to develop and implement strategies, but also to build effective communication with the heads of other departments to ensure that the importance of information security is understood at the level of the entire organization. Success in this area is determined not only by technological solutions, but also by the human factor – awareness, training and involvement of employees in maintaining a secure environment. The meaning of this paragraph is that the information security service should not be feared, but on the contrary, they should be asked for help/consultation on any issue, including personal ones, for example – how to secure your personal account on government services or remove personal data from the “eye of God”.
Fellow directors or future CISOs, your job is to create friendly communications in the organization, prevent/minimize information security incidents, respond to new vulnerabilities and ways in which a threat can be realized, justify budget items, and much more. In general, be like a fish in water in the world of information security, IT, and business. Constant learning, self-improvement, and so on. After all, remember: life is like an escalator, and if you are not at least moving at the speed of the escalator up, then you are going down.
Continuing with the topic of information security management, I would like to remind you about the open lessons that will be held in September as part of the course “CISO / Chief Information Security Officer”:
