Constant increasing cybercriminal activities feed from inadequate security measures employed in any organization, and the public sector arguably has been more vulnerable due to the slow and red-taped nature of their organizations. The Baltimore ransomware attack is a clear example of unprepared, off-guard, and incompetent cybersecurity in the public sector. Under budget IT and security, aging hardware, unpatched software, lack of risk assessment, and risk management is an open invitation for any hacker.
The complexity of modern societies demands the reliance of any one organization on several other entities in order to be functional. Outsourcing has been a trend for many years, and it doesn’t seem to slow down at all. Based on a study conducted by Opus & Ponemon Institute, Vendors or 3rd parties are the cause of more than 60% of data breaches in the U.S. every year. Organizations need to be able to trust their vendors’ security with all sensitive data such as PII, PHI, PCI DSS, etc. It is imperative to consider the organizational security posture as a whole, in which the supply chain security or vendors would be certainly included.
The people, process, and technology (PPT) framework is about the balance in the interaction of these three elements and improving the operational efficiency of an organization. In any organization, people are doing the work, applying processes enhances the efficiency of this work, and technology helps with automation and the quality of tasks. By utilizing PPT, organizations would be anticipating three reasonable outcomes from any task in an ideal condition:
- Increased speed
- Improved efficiency
- Meet or exceed expectations
How can you measure or benchmark security solutions using standards such as common criteria?
The Common Criteria, also known as “Common Criteria for Information Technology Security Evaluation, is an international set of standardized guidelines that enable organizations for an objective evaluation and validation of any product or system based on the pre-set and agreed upon standards. These standards facilitate a practical manner to ensure users are purchasing equipment that has been independently verified and meets specific security requirements. Common Criteria is a mandatory requirement for the U.S. federal government. Many non-government organizations with higher security expectations, such as data centers, telecommunication companies, and financial and medical organizations, are also increasingly using these standards.
Threat modeling is a pre-defined procedure to assist the cybersecurity team in actively identifying potential threats, vulnerabilities, and security requirements, quantifying the criticality of those threats, and finding and prioritizing remediation procedures. Threat modeling is a risk-based approach to designing a secure system. It contains threats and scenarios much more holistically than other security measures such as penetration tests or security awareness training. It is a complicated process, and