Q&A: Setting Up a Second Line of Defense

Organizations will have to accept that their gates will be breached and begin preparing their second line of defense -- data platforms -- to mitigate the damage caused by attacks that get through.

To truly secure your enterprise, you’ll need more than one line of defense. You must recognize the breaches, then understand how and when they occurred and what to do to minimize any damage. To learn more about what’s involved and what skills are needed, we turned to Gavin Michael, chief technology innovation officer at Accenture.

Enterprise Strategies: Why are these breaches getting through the first line of defense?

Gavin Michael: More and more systems are being connected. Virus scanning and penetration testing needs to be done but those are just the basics. Organizations need to move beyond these steps. With the complexity of systems and connectivity across systems and devices, perimeter defense will never be 100 percent secure. Cost, speed, and resources also factor into why systems will never achieve a 100 percent security level. Breaches will happen, and we believe that’s the new reality -- the real differentiator is how you respond. Given enough time and resources, a determined attacker will find a soft target and exploit an organization for fun or profit.

What is involved in a second line of defense? What type of security?

The new strategy is about recognizing the breaches but also understanding more about how and when, and what to do to minimize any damage. Before anything can be done, you need to detect the breaches. Having a flexible data platform enables you to access, aggregate, and analyze the data you need in order to connect the dots faster and understand anomalies that can point to the source of the breach.

To connect those dots, organizations need to be monitoring enterprise business data. This will be a different focus than what has been traditionally monitored within security operations -- business processes incorporate external data from partners and may process data remotely that isn’t easily understood by observing logs.

Companies can benefit from developing security operations playbooks for these breaches in critical business processes -- especially as they’re critical to business operations and reputation. These playbooks should integrate the roles of all the providers in an enterprise to act in concert -- starting with the vendor management process. Leading enterprises in this space understand the value and execute back-to-back SLAs across their multi-provider environment.

From research conducted by the Ponemon Institute, we see that leaders understand that a breach is more than a security event -- it involves crisis management, customer relationship management, and effective communications. They coordinate security with all areas of their business and are less likely to experience breaches as a result.

What new skills are needed in order to execute this new second line of defense? Is this adding to the security operations workload?

IT should start to build skills and capabilities in analytics reporting and data processing, and then apply these skills to security operations (e.g., statistics, reporting packages, hypothesis development, machine learning, alternative database technologies).

In addition to the technology skills, security teams will need to be able to understand marketing, supply chain, and CRM business operations issues so they can secure these processes.

This will add some effort to the security organization, but the result will be a more integrated and seamless monitoring of critical business functions and a response capability. How much more this adds to their workload depends on how much the organization needs to prioritize security on business processes that are currently unmonitored. It also provides the opportunity for the organization to re-orient the efforts they spend on day-to-day incident response and focus on how they can better align security investments and metrics with the business objectives.

What should the organization do over the next 12 months to prepare?

IT organizations should consider the following steps:

  • Establish processes that make robust, flexible security a priority when IT systems are being designed and developed.

  • Demonstrate compliance at any time as a result of security investments -- rather than letting compliance drive security investments.

  • Create clear orchestration roles that specify how IT works with service providers.

  • Rework all SLAs that prevent the organization from responding immediately (and appropriately) to threats.

  • Identify the skills necessary to manage a data platform for IT security.

  • Define a well-practiced, collaborative, strategic response to sophisticated and determined attacks.

  • Implement effective mechanisms for regular, actionable dialogue with business functions about IT security issues.

Must Read Articles