In the Cyber Security and Business Continuity theatre, PrivSec day two begins with opening remarks from Lynda O’Leary, Systems Engineer at Hewlett Packard Enterprise.
David Shaw, CISO at Central Bank of Ireland gets the ball rolling by outlining the practicalities of cyber-security assurance.
“Security isn’t a destination, it’s a case of doing your best and putting in the appropriate controls to make a breach less likely, but not impossible, because there’s no such thing as an impossibility in this context,” David says.
While underlining that there is no silver bullet to getting Information Security Assurance right, David says that there are ways to show that an organisation is getting demonstrably better as security.
David’s framework for measuring this looks at three factors: Completeness – asking if all the necessary controls are in place; Coverage – asking if those controls cover all the problem areas, and Effectiveness – considering whether these controls actually work.
“Life calls not for perfection, but for completeness,” David says, quoting the words of Carl Jung, before describing how the Swiss psychoanalyst’s resonate with the approach executives need to address security assurance.
“Ask where gaps exist – every control doesn’t need to cover everything,” David says, “rather, weighing up risk and requirement is key”.
To help figure out where gaps exist, David recommends red teaming integrated into the assurance framework – having an independent group challenge your organisation to improve assurance, through a loose-scoped, scenario-based test. Such a test should help IT chiefs work out why a breach took place and what actually happened.
David finishes by noting how that red teaming should complement a broader unified strategy, sitting alongside other tests such as ethical phishing.
The post #PrivSecDUB: Developing cyber-security assurance and the marathon of GDPR implementation appeared first on PrivSec Report.