enterprisesecuritymag

Securing the Transportation Systems

Chris Cooper, WW Information Security Director, Cubic Transportation Systems

Chris Cooper, WW Information Security Director, Cubic Transportation Systems

Over the last 15 years I have worked in security and been fortunate to be able to learn from and collaborate with many security professionals.  One thing that we all agree on is the broad and ever-changing threat landscape we constantly contend with, and the security related risks such threats bring with them.  However, one aspect that divides the community is how security risk should be viewed through a business lens.

When I started out in security, I remember meticulously identifying security controls, testing their effectiveness and recommending additional controls where gaps appeared to exist.  I remember battling with teams to prioritise making modifications to improve controls that would reduce the likelihood of a security risk eventuating.  I would constantly be frustrated that security was, or appeared to be, treated as a lower priority.  I mean security is the most important thing…isn’t it?

Today, with a better understanding of risk and its place within an organisation, I have come to appreciate that for some businesses, the loss of availability of their systems and applications, or access to data by an unauthorised entity may not have the devastating impact I once thought. The realisation I have reached, was that there is no type of risk that is more important than any other. Instead, it is the level of the risk, and its relative impacts to the business that is key.

Having come to this realisation, it became clear to me, that as security professionals our foremost obligation is to unemotionally present risk in business terms, and to consider controls and control strengths in that context.

What I have learned

- Security risk is just another business risk with business consequences

- The size/impact of a risk is evaluated in the context of overall business strategy and objectives (think risk tolerance and risk appetite)

- I know security and the business leaders know the business

To do this successfully, it is critical that security professionals make a concerted effort to understand the business context, the overall nature and strategy of the business, and how security ties into that. Only armed with this knowledge, does it become possible to see that the remediation of a critical vulnerability may not be the top priority. For example, the vulnerability may not represent a high risk, or the cost to remediate it may outweigh the effective cost of impact. Although this may be difficult, ultimately this is what we must understand, and therefore accept as security professionals when fulfilling our obligation to inform the business appropriately.

A good example of the role of context is when a vulnerability such as POODLE (or one with an even higher criticality rating) comes along enabling a Man in the Middle(MITM) attack.  At Cubic Transportation Systems we manage systems with volumes of sensitive data (personal information, credit card data), as well as systems with publicly available data (bus routes and schedules).  As such the context-based risk and thus priority around remediation differs based on the respective impact of unauthorised access to the data through a MITM attack.

In the end it is about driving successful outcomes for the business and as security professionals our obligation is to be enablers for this success.  Naturally we must help the business understand when to exercise caution and equally when there is less need to.  Ultimately risk management is a partnership whereby the business understands the risk consequences and the security professional the likelihood determined by threat, implemented controls and controls strength.  Achieving this balance will result in better outcomes for the business and a lot less frustration!

Weekly Brief

Read Also

Data is the new Oil ...  and the new Asbestos

Data is the new Oil ... and the new Asbestos

Ashmeet Founder and Chief Engineer of Engineering Capital
The Business Case for Effective Identity Management-A Refresh

The Business Case for Effective Identity Management-A Refresh

Manoj Kumar, Director -Identity and Access Management, Philip Morris International
Iam May Help Secure Data, But It NeedstTo be Protected As Well

Iam May Help Secure Data, But It NeedstTo be Protected As Well

Marc Ashworth, Chief Information Security Office, First Bank
COVID-19's Implications for the Banking Industry

COVID-19's Implications for the Banking Industry

Frank Tian, VP Risk Management, Union Bank
Block Chain Applications In International Payments Sector During The Crisis

Block Chain Applications In International Payments Sector During...

Andreas Beller, Senior Vice President StoneX
A Sneak Peak on Blockchain technology

A Sneak Peak on Blockchain technology

Gopalan Mukundan, Vice President and Distinguished Technologist, Comerica Bank [NYSE: CMA]