Each new year should begin with a review of your organization’s current and desired security posture. If the current processes and systems are not robust enough to withstand the demands of the organization, it is a mistake to simply add horsepower to the flawed structure. A necessary starting point is assessing the people, processes and technologies within your organization and determining where changes need to be made to ensure an effective future security strategy.

The most important steps companies can take to improve and build their cybersecurity practices include an analysis of three critical elements:

Roles And Responsibilities For Security Within The Organization

While all three elements are a critical part of the analysis, the first step should always be analyzing roles and responsibilities within the organization. The problems that will quickly derail security and regulatory initiatives typically stem from unclear definitions of who is responsible for what security technology, process and action. Two areas in particular — the overlap of duties and separation of duties — help bring additional clarity to an organization’s current practices when analyzed closely.

• Overlap of duties: Using the RACI (responsible, accountable, consulted, informed) model, each critical security action must have only one accountable entity assigned to it. This means one person or entity is ultimately responsible for the correct and thorough completion of the task. For example, moving an application to production must have only one accountable entity. Having multiple groups with the ability to move an application to production could result in downtime or worse — it could open security vulnerabilities to the internet. The overlap of duties can also result in confusion in priorities, misunderstanding of whether or not a task is complete and complications surrounding who should approve a particular change.

• Segregation of duties: This is not a new concept. Looking back to the days of paper checks, the person who wrote the checks was not the same person who signed the checks. In today’s world, there are two objectives of segregation of duties. The first objective is prevention. Prevention is when an organization removes the opportunity for intentional or unintentional damage to its reputation or assets. The second objective is detection. It is not always possible to implement preventative controls. In those cases, another set of controls is required to detect any type of circumvention, which may result in a breach or information theft. When reviewing your company’s current duties and responsibilities, you should be able to answer one simple question: Do the current definitions of roles and duties give one single person all the access necessary to breach your company’s security and steal or export sensitive information? If the answer is “yes,” then the role in question must be redefined.

Technology Controls To Detect Issues

Today, technology controls can support these critical security efforts. While it is only a third of the people-process-technology triad, many of the high-volume processes used by businesses today require a technology focus. For instance, in the areas of unauthorized disclosure of information, data leakage prevention (DLP) systems can inspect outbound mail to ensure the messages or the attachments don’t contain sensitive information. Other systems that monitor and report attempts to access information to which a user is not authorized are valuable to identify potential trouble areas or associates. These systems are particularly valuable in regulated businesses such as financial services and health care.