In today’s digital age, organisations must prioritise their cybersecurity posture to protect sensitive data, maintain privacy, and ensure compliance with regulatory requirements.
A compliance-driven approach with security solutions drawn from research and expertise of industry professionals provides a solid foundation. To add, combining this foundation with a risk and context-based approach enables businesses to prioritise their efforts, creating more effective and efficient cybersecurity strategies.
This article explores how to integrate security solutions into a broader compliance framework while incorporating risk-based methodologies.
Industry Frameworks
Aside from mandatory regulatory requirements, businesses can benefit from standards and guidelines like ISO 27001, NIST Cybersecurity Framework (CSF), and SOC 2 Trust Security Criteria (TSC). These frameworks reference best practices and standards that can help organisations develop a robust cybersecurity strategy. By adopting these guidelines and complying with regulatory requirements, organisations can take a comprehensive and practical approach to building cybersecurity capabilities.
With disastrous cyber breaches hitting the headlines every now and then, regulatory efforts are reflected in the updates of industry guidelines and standards – like ISO 27001 and MAS TRM.
Addressing the ever-evolving cyber threat landscape and to bolster organisations’ security posture, some key updates include:
Increased focus on robust cloud security:
As cloud technology takes the centre stage of digital transformation, ensuring robust cloud security is paramount for business. Organisations need to manage the unique risks associated with cloud computing and protect critical data assets in the cloud environment. This includes guidance on conducting risk assessments for cloud service providers, implementing robust access controls, and ensuring data protection in the cloud.
Greater emphasis on comprehensive third-party risk management:
Learning from cyber incidents like the Kaseya supply chain attacks, regulators and international bodies recognises the importance of managing risks associated with third-party service providers through a comprehensive approach. By conducting thorough assessments, organisations will need to identify the relevant third-party risks to their systems and data. This includes performing thorough due diligence, monitoring the security posture of third parties, and establishing clear contractual terms and conditions to address security requirements.
Improved incident response and recovery capabilities:
With today’s ever-evolving cyber threat landscape, cyber incidents are no longer an ‘if’ but a ‘when’ for organisations. Recognising the inevitability of these cyber incidents, regulators have placed greater emphasis on the development of robust incident response and response capabilities in the updated guidelines. The updates stressed the importance of preparedness and resilience in mitigating the potential impact of cyber threats. This includes creating an incident response plan, regularly testing and updating the plan, and ensuring that the organisation can quickly and effectively recover from a cybersecurity incident.
Enhanced focus on cybersecurity governance
The need for strong governance and oversight in managing cybersecurity risks is underscored in the updated guidelines, with the critical role of senior management and the board in driving cybersecurity initiatives and fostering a security-conscious culture within the organisation being highlighted. This includes establishing a clear cybersecurity strategy, defining roles and responsibilities for risk management, and ensuring that cybersecurity measures commensurate with the organisation’s overall risk appetite.
Smarter Automation and Tools Enabling Security
The challenges all security professional faces have not changed – limited resources, widening scope and breadth, and continually evolving threats.
To cope with these challenges, there have been increasing industry conversations with varying concepts pointing towards reducing load and prioritising security as an organisational concern than a cybersecurity team-only concern. The concepts revolve around ‘Moving Security Left’ (with DevSecOps), overcoming ‘Security versus Convenience’ and Smarter Automation.
Smarter automation, such as adopting tools, can assist organisations in coping with these challenges. With limited resources, tools can help organisations deal with risk by directly addressing the threats mentioned earlier. For organisations that have not explored using these tools or organisations looking to strengthen their security posture in these aspects, here are some solutions that can aid organisations in their walk towards a compliance-driven approach, specifically for those in the ‘maturing’ stage of cybersecurity capability:
Endpoint security – Endpoint / Extended / Network Detection and Response (EDR/XDR/NDR):
With people identified as the largest attack surface within organisations, EDRs are impactful tools in enabling monitoring, enforcement of policies and quick response on the endpoints. XDRs collect and correlate data from several components, while NDRs provide extended capabilities around network visibility. Depending on the tool, these could include several other capabilities, such as Data Loss Prevention and File Integrity Monitoring.
Cloud Security – Identity and Access Management (IAM), Encryption and Key Management Tools, Network Security Tools, and etc.:
Cloud Security is too broad a category to be on its own – however, considering the usual context on how ‘cloud’ is used, Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) service providers will usually provide security support on their platform. Focus will then fall on areas where tools are needed to support the integration of cloud security requirements with data not on the cloud.
- Cloud Access Security Brokers (CASB): CASB tools help to secure the integration of off-cloud infrastructure with the cloud environment. They provide visibility, control, and security enforcement for traffic flowing between the off-cloud infrastructure and the cloud services. CASB tools can enforce policies, monitor data transfers, and apply encryption and access controls to ensure the security of data and applications in transit.
- Application Programming Interfaces (API) Security Tools: APIs play a crucial role in integrating off-cloud infrastructure with cloud services. API security tools help protect the APIs used in the integration process. They can provide authentication and authorisation mechanisms, enforce API usage policies, detect and prevent API-based attacks.
Security Information and Event Management (SIEM) Tools:
SIEM tools collect and analyse log data from various sources within an organisation’s IT infrastructure, such as network devices, servers and applications. They provide real-time monitoring, correlation and analysis of security events, enabling the detection of potential threats. SIEM tools often incorporate incident response features such as alerting, workflow management and forensic analysis to support effective incident response.
Third-Party Risk Management Tools:
These tools assist organisations in assessing, monitoring, and mitigating risks associated with their relationships and interactions with third-party vendors, suppliers and service providers. These tools focus on evaluating the security posture of third parties and managing the potential risks they pose to an organisation.
conclusion
The list of tools is non-exhaustive but just an indication of what the average organisation should look towards based on the trends from recent threats and updates to guidelines. In conclusion, by complementing tools with compliance-driven considerations into cybersecurity strategy, organisations can ensure that their cybersecurity efforts are aligned with organisational objectives while meeting compliance requirements.
Author:
Lim Quan Heng, Regional Head of Asia
Lim Quan Heng is passionate in making, breaking things and is driven to solve hard problems. As an entrepreneur active in the field of cyber security, he enjoys tinkering with electronics and writing code. He loves sharing the importance of cyber security with businesses, and helps in aligning it to their business strategies.
