Every IT environment requires a secure architecture to withstand the cyber threat. How can you build or adapt your IT architecture to cope with the current and future threat landscape? And how will this architectural design fit in your overall cyber defense strategy? With these questions in mind, Stefaan Van daele, Executive Security Architect, IBM Security Elite team, exchanged views and discussed the CISO’s role during the first edition of DPI’s CISO certification course.
Why is an organization attractive for cyber criminals?
“Twenty years ago, business security translated into tech solutions and reporting,” says Van daele. “Still today, seventy percent of security is covered by compliance.” But a shift is needed: “Today, it’s all about having a clear understanding of the threat landscape: knowing why your organization is vulnerable, fuels your strategy and your budgetary needs.”
Articulate the threat landscape to management
Leadership must understand the cost & benefits of an holistic security approach and it’s the CISO’s job to clearly articulate them. Strategy and budget negotiations are core competencies of a Chief Information Security Officer. According to Stefaan Van daele, explaining the threat landscape to management is a conditio sine qua non to earmark the cyber security budget that is needed. “According to IBM’s annual 2022 Cost of a Data Breach Report (now in its 17th year of publication), the average cost of a data breach is €4.1 million. This insight can help management to understand the impact of cyber incidents”.
Translate the threat landscape into a security architecture
With a clear strategic plan at hand, the organization is ready to develop a security architecture. “But there is no such thing as A security architecture”, Stefaan says. “CISOs need to understand the difference between the structure and behavior of the organization’s security process (aka security governance; also referred to as Enterprise Security Architecture); the structural security components that are needed in the IT architecture, such as identity and access management principles; secure coding and security related operations, … (the Security Architecture) and the security of a solution, such as a SaaS application (the Architecture of a Security Specific Solution). “A CISO must understand the relations between these architectural tasks and how they interact.”
Zero Trust as leading principle
During the first CISO certification course, Stefaan explained the most common architectural designs in cybersecurity. One of them, Zero Trust, is explained more in depth. This architectural principle eliminates implicit trust and continuously validates every stage of a digital interaction. “Zero Trust is designed to protect modern environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement, providing threat prevention, and and simplifying least privilege related policies. Using Zero Trust as guiding architectural principle is key to building a modern security architecture”, according to Stefaan Van daele.
“During the first CISO certification course of DPI, it was my goal to bring the often very technical concepts of security architecture to a “suitable enough” level for the CISO to have a meaningful conversation with the architects on the one hand and the management on the other hand. It is important that they are all able to speak the same language, which is why this training is geared towards bridging the gap between business risks and the more technical side of things.”.