In order to optimize your security, it’s crucial to understand it correctly – what does “security” actually mean? The term is tossed around a lot, and it’s important to clarify the two types – holistic security and contextual security – and how they can work tightly together.
Some say, “Security is a peace of mind,” but I disagree. Security is a continuously pursued goal – it is always ahead of you, always moving further away, always requiring you to adapt and improve. That means that when talking about security, it is a discussion about what degree of security you strive for, rather than having an end-all be-all solution.
But of what elements does security consist of? Is it some sort of procedure you apply to your processes, a state of your IT environment, or perhaps a bunch of devices and systems you've purchased that shape your defense? Actually, it is all of that – and more. Security also includes your knowledge and plans that help you stay protected from both outside and inside threats. Whatever helps you prepare for a disaster or recover from security incidents is also considered “security”.
An important factor that is still missing in this definition is the “what” – “What are we wanting to protect?” To put it simply, it's all your valuables, whether tangible or intangible. It can be your equipment you don’t want destroyed or stolen, or your know-how or business strategy you strive to keep secret from competitors. It can also be the state of your business, such as business operations that either survive attacks or can come back quickly from them. Anything that you feel is important for your business requires some level of protection.
To sum it up, in order to speak about security you need to know:
• What you want to protect
• What loss you want to avoid (or be prepared to recover from)
• How you want to protect from that loss
There are different things you can implement or do to achieve satisfactory degree of protection. Some of them are holistic, or universal and well established. Whereas some are very contextual, and are designed to protect a very specific purpose, or work only in specific environment.
Defining holistic security – general and standardized
It is only natural to be drawn to what is already known, standardized and tried-and-true. Using holistic security allows you to make a much broader view of your current security challenge or a future issue, as well as obtain a benchmark on how effective planned controls and countermeasures will likely be. When using holistic security, the goal is to have universal security principles that will support the appropriate enforcement and monitoring procedures.
An example of this approach is the internal information security policy, which every company has. It addresses the whole company by setting requirements and responsibilities for every employee, internal organization and business process. This is independent from the underlying technology, as it does not require deep understanding of tiny little details, and can be applied across the broad spectrum of processes. It reflects an organization’s vision and strategy through key security principles.
But how do you take universal security knowledge and make it applicable to a project – let’s say, a software development project? You have to mold the security practices to be cross-functional and understand the bigger picture right from the start. So instead of having a security committee approve the project at the beginning and placing a Penetration Tester at the end of the development phase, you should consider having a Security Architect and Security Specialists present throughout the whole project. This ensures you have a cross-functional security core throughout the project – the feasibility analysis and design phase, through implementation, testing and up to deployment and maintenance. Only sound security architecture that integrates layers of protection with layers of engineering resources and couples that with layers of your IT operations will ensure that the universal principles you have in your policy are implemented throughout the whole project and does not lose any of its intended purpose.
Defining contextual security – specific and less well-known
On the other hand, the implementation of security controls is often driven by technology itself; this is what we call contextual security. For example, when you install new technology that comes paired with a new database, you have to learn about the security mechanisms available, understand the new threat landscape and then take action to protect the system. Or when designing a new vehicle, you also build security into both software and hardware modules to protect the end product – a car. All of this is necessary to protect your assets from threats that are specific to your environment, aligned to the asset
profile, or adjusted to the business process reality and technology ecosystem behind it. This requires sound understanding of the technology stack along with deep industry focus.
The ability to leverage up-to-date knowledge, very narrow expertise and industry best practices is the focal point of securing new technology. This is reflected in a number of security expertise areas in the market, like with Penetration Testing that follows specific industry and technology.
Having a web applications security expert on board does not necessarily help test the security of a car or an IoT device – the base principles and skills cannot be applied to other areas to get the same expert outcomes. Only by putting security into the context of what you are protecting, how you want to do it, and with what capabilities, are you able to protect against real threats. This results in obtaining proper controls that work most efficiently for your situation, assessing relevant risks and providing the greatest security return on investment (ROI).
Q: Which should you choose?
A: Both… Let me explain.
Right now we experience the rise of digital in a number of industries. Digital transformation happens so fast, enabling great potential but also showing us that old approaches often fail to keep up with the pace of the digital wave.
The truth is, what we need to keep up is a tight coupling of both holistic and contextual security. You cannot be sure that well-known and universal principles will work with brand new technology, where possibilities have yet to be defined. In the same way, you cannot trust deep, contextual security efforts to keep everything safe, since they focus too much on narrow technology stacks. You must set up a security program that holistically covers and oversees security efforts, while maintaining integration and unified direction – and at the same time puts your efforts into the context of your business, technology and challenges.
Luxoft operates in number of industries already, driving digital transformation across the market with top engineering and offering the best industry solutions. Over the years, Luxoft has accumulated holistic information security (InfoSec) expertise and experience that is now being replicated, adapted and contextualized for every customer challenge. Together with our deep industry focus, we deliver holistic and contextual InfoSec services – what’s necessary for businesses to survive in this digital age.
For more information, contact us by clicking
InfoSec Director, Luxoft Digital