enterprisesecuritymag

Securing the Transportation Systems

By Chris Cooper, WW Information Security Director, Cubic Transportation Systems

Chris Cooper, WW Information Security Director, Cubic Transportation Systems

Over the last 15 years I have worked in security and been fortunate to be able to learn from and collaborate with many security professionals.  One thing that we all agree on is the broad and ever-changing threat landscape we constantly contend with, and the security related risks such threats bring with them.  However, one aspect that divides the community is how security risk should be viewed through a business lens.

When I started out in security, I remember meticulously identifying security controls, testing their effectiveness and recommending additional controls where gaps appeared to exist.  I remember battling with teams to prioritise making modifications to improve controls that would reduce the likelihood of a security risk eventuating.  I would constantly be frustrated that security was, or appeared to be, treated as a lower priority.  I mean security is the most important thing…isn’t it?

Today, with a better understanding of risk and its place within an organisation, I have come to appreciate that for some businesses, the loss of availability of their systems and applications, or access to data by an unauthorised entity may not have the devastating impact I once thought. The realisation I have reached, was that there is no type of risk that is more important than any other. Instead, it is the level of the risk, and its relative impacts to the business that is key.

Having come to this realisation, it became clear to me, that as security professionals our foremost obligation is to unemotionally present risk in business terms, and to consider controls and control strengths in that context.

What I have learned

- Security risk is just another business risk with business consequences

- The size/impact of a risk is evaluated in the context of overall business strategy and objectives (think risk tolerance and risk appetite)

- I know security and the business leaders know the business

To do this successfully, it is critical that security professionals make a concerted effort to understand the business context, the overall nature and strategy of the business, and how security ties into that. Only armed with this knowledge, does it become possible to see that the remediation of a critical vulnerability may not be the top priority. For example, the vulnerability may not represent a high risk, or the cost to remediate it may outweigh the effective cost of impact. Although this may be difficult, ultimately this is what we must understand, and therefore accept as security professionals when fulfilling our obligation to inform the business appropriately.

A good example of the role of context is when a vulnerability such as POODLE (or one with an even higher criticality rating) comes along enabling a Man in the Middle(MITM) attack.  At Cubic Transportation Systems we manage systems with volumes of sensitive data (personal information, credit card data), as well as systems with publicly available data (bus routes and schedules).  As such the context-based risk and thus priority around remediation differs based on the respective impact of unauthorised access to the data through a MITM attack.

In the end it is about driving successful outcomes for the business and as security professionals our obligation is to be enablers for this success.  Naturally we must help the business understand when to exercise caution and equally when there is less need to.  Ultimately risk management is a partnership whereby the business understands the risk consequences and the security professional the likelihood determined by threat, implemented controls and controls strength.  Achieving this balance will result in better outcomes for the business and a lot less frustration!

Weekly Brief

Read Also

Digital identity - improving security and customer experience

Digital identity - improving security and customer experience

Margo Stephen, Head of Digital ID at Australia Post
Securing Telco Cloud for the 5G era

Securing Telco Cloud for the 5G era

Srinivas Bhattiprolu, Head of Advanced Consulting Service, Nokia Software
Risk Management in Times of Chaos. How To Survive It All?

Risk Management in Times of Chaos. How To Survive It All?

Magdalena Skorupa, Cyber Risk, Data Privacy & IT Compliance Director, Reckitt Benckiser Group
2021 - Are You Ready for the Future?

2021 - Are You Ready for the Future?

Sebastian Fuchs, Managing Director Manheim and RMS Continental Europe, Cox Automotive
How to Build A Successful Identity and Access Management (IAM) Program?

How to Build A Successful Identity and Access Management (IAM)...

Carlos Rodriguez, Director, IT Security & Risk, Citizens Property Insurance
Making Vulnerability Management Relevant to Your Organization's Needs

Making Vulnerability Management Relevant to Your Organization's Needs

Mike Holcomb, Director-Information Security, Fluor Corporation