Having worked for many large organizations in cyber security, I regularly come across enterprise security and over the years I have learned why this is an important part of the security landscape. As I need to be aware of enterprise security for my role as a cyber security architect.
So, what’s the difference between enterprise security and cyber security? As a general rule enterprise security consists of strategies, policies, standards and techniques on how an organization deals with security as a whole. Whilst cyber security concentrates on the securing relevant parts of an organization against cyber threats and cyber attacks, typically areas where systems and services have connections to and from the internet.
Organizations need to have enterprise security to be able to define how they will deal with security across their whole organization. This will allow them to have a consistent approach in dealing with security and the potential security issues that could result.
This consistent approach will provide a better way of protecting the organization against security attacks by being more proactive in being able to protect itself. So, for example, if the organization’s enterprise security team have policies on how information needs to be protected including standards on how the data part of the information needs to be protected. Then this can be adopted by the whole organization including those who work in cyber security.
During my work duties in cyber security, I regularly have to advise on levels of encryption including the use of acceptable ciphers especially when it comes to securing data, I heavily rely on the security standards advocated by the enterprise security teams on the minimum level of encryption required.
If the enterprise security teams have mandated the minimum to be AES 256 level encryption as part of their accepted security standards, then I will work to ensure the systems and services in my scope are using at least using AES 256 level encryption. Any higher than this, then that’s fine, it still meets the enterprise security minimum standard, whilst a lower encryption standard, fails to meet the enterprise security standards and will be classed as a risk.
What is meant by Enterprise Security?
Enterprise security means defining security measures across the whole organization through strategies, policies and standards and assessing how compliant the organization is with these security measures defined. This allows the organization to be able to assess their security posture and determine any risks from any deviations from being non-compliant.
By using this approach, enterprise security can help minimize potential fallout from security attacks and threats as all parts of the organization will have the same level of protection. Meaning the overall security posture of the organization is protected, instead of having pockets of substandard protection in different parts of the organization.
A security strategy is vitally important as it defines how an organization views their concerns around security and how they are planning to deal with these security concerns. So, a concern around ensuring the organization is protected from potential security threats could include ensuring a security policy exists highlighting important assets like information, infrastructure to applications that need to be protected.
A security policy is a statement of intent on how an organization will deal with protecting the security of an asset, service to even ways of working. These are defined by the enterprise security team and cover a wide area of security responsibility from information security, email security, infrastructure security, workplace security to third-party security.
A security standard is a set of rules used to satisfy the intent of security policies and provide detailed ways of ensuring the intent, that is the goal of the corresponding security policy is achieved.
What is Enterprise Security responsible for?
Enterprise security is responsible for ensuring a common approach to security across an organization by conforming to the strategies, standards and policies defined by enterprise security. By doing so, the organization can deal with security in a consistent manner, providing enhanced protection from security threats and attacks.
Enterprise security is responsible for:
- Security strategy
- Security policies
- Security standards
- Security assessments
- Risk Management
Enterprise security will then ensure the strategy, policies, standards are applied across the organization, allowing the organization to effectively deal with:
- information security
- infrastructure security
- email security
- application security
- workplace security
- supply chain security
- third party security
The individual strategies policies and standards produced by the enterprise security team will be used by all areas of the organization to protect against potential security threats. With conformance to risk management
An organizations security strategy will highlight the security concerns the organization has and how these are going to be dealt with. So, concerns on effectively dealing with security incidents could include a strategy to utilize a security operations center (SOC) where full incident management response services could be conducted.
Security strategies can also include deciding to use a security framework across the organization. Security frameworks like SABSA (an acronym for the Sherwood Applied Business Security Architecture), ISO 27001 to the NIST Cybersecurity Framework.
These security frameworks provide a baseline where the minimum security expectations are set, allowing an organization to have confidence in that it has the basic security protections in place.
As I predominantly work with cloud technologies, a suitable enterprise framework like the Cloud Security Alliance (CSA) and it’s Cloud Controls Matrix (CCM), allows me to review the levels of compliance at any organization I’m working for. Generally, the enterprise security teams will dictate on using the Clouds Controls Matrix as part of their enterprise security strategy.
With my job being to ensure the related cyber security elements are compliant with this controls matrix. Any deviation where the controls are not present or adhered to satisfactorily, will need to be risk assessed and reported back to the enterprise security team.
Security policies are statements of intent on how an organization will deal with security. These are defined by the enterprise security team and cover a wide area of security responsibility from information security, email security, infrastructure security to workplace security.
So, for workplace security, policies could include making sure any documents are not left in the open on desks at the end of the working day (clear desk policy) to ensuring workstations are protected from unauthorized access.
Security standards are a set of rules used to satisfy the intent of security policies and provide detailed ways of ensuring the intent, that is the goal of the corresponding security policy is achieved.
So, for a workplace security policy, security standards to protect the workstation from unauthorized access could include ensuring the workstation desktop is locked when unattended, strong passwords are used, and these passwords change on a frequent basis.
By understanding the organizations current security posture, Enterprise Security can determine any gaps in security measures. These gaps can then be highlighted to the relevant security teams, along with the risk of the current gap and effective measures to remediate the risk can be initiated by the owner of the risk.
This is where security assessments come into play, where parts of the organization are assessed for compliance generally when systems or services are being productionized, but this can also happen periodically, like on an annual basis.
Organizations need to manage security risks effectively to ensure any risks do not end up damaging the organization financially or damaging the organizations reputation. Would customers trust an organization with poor risk management where customer information was consistently breached? No, customers would assume the organization is weak in protecting their data and this would result in potential customer loss for the organization.
Risk Management Framework
By having a means of managing the organizations security risks, will allow the organization to deal with security risks in an effective manner. So, risks determined as being high risk will be assessed through a risk assessment and any remediation requirements will be pushed through to either mitigate the risk or reduce the risk level.
Many organizations adopt a risk management framework as part of their overall risk management strategy. With the NIST Risk Management Framework being a popular choice. As this provides detailed instructions on dealing with risks and adopting effective processes and procedures to manage risks. It would be up to enterprise security to decide on whether a risk management framework is required.
Security Risk Logs
The enterprise security teams responsibilities also include managing the risk log for security issues. The security risk log provides a centralized repository of risks the organization is facing in regard to security.
The management of the security risk log is important to ensure risks are not missed out or forgotten about, thereby increasing the potential damage an organization could face if the risk is exploited.
Governance, Risk management and Compliance (GRC)
Risk Management falls under the Governance, Risk management and Compliance (GRC) part of Enterprise Security. With the governance part of GRC looking at how the organizations security goals are being met, for example the security goals around protecting information could include processes, policies and standards and governance will concentrate on the effectiveness of these.
Compliance looks at how the organizations align themselves to laws and regulations, so in the security space, this could include data privacy laws to specific industry regulations around using a particular cyber security framework.
Why is Enterprise Security important?
Enterprise Security is important as it provides an overarching and centralized blueprint on how an organization deals with security. Enterprise security makes the important security decisions around strategies, polices to standards. These are then filtered down to other security functions in an organization like information security to cyber security to use, as well as to other parts of the organization.
This allows different parts of the organization to view security in the same way as any other part of the organization. Leading to security being adopted in a uniform way across the organization protecting all parts of the organization in the same way.
Without enterprise security, different parts of the organization could deal with security in different ways, leading to security varying across the organization. Leading to potential security compromises in parts of the organization where security has not been effectively implemented.
As an example, if an organization doesn’t have enterprise security, therefore doesn’t have a security strategy around information security. This could potentially end up with different parts of the organization dealing with information security in different ways. Those parts of the organization who take a lax approach about information security could open themselves up for data breaches, resulting in information being stolen, deleted or manipulated.
What is Cyber Security?
Cyber security deals with aspects of security involved with protecting against threats and attacks from the internet. These threats and attacks are respectively commonly referred to as cyber threats and cyber attacks as they result from the internet, commonly referred to as cyber space.
Web applications and internet facing APIs typically need the security protections defined by cyber security teams to protect against attacks. These security protections include web application firewalls (WAF), anti distributed denial-of-service (DDoS) attack protection to ensuring all systems and services accessible from cyber space are protected. So, if a web application connects to a backend database then as part of cyber security, the database needs suitable protections in place, like encryption and access controls.
Cyber security heavily references the enterprise security strategies, policies and standards to effectively ensure consistency. Whereby for example, information security standards on encryption including acceptable ciphers and encryption levels are adhered to. This reduces the chances of deviation, where more exploitable ciphers or lower levels of encryption end up being used.
Enterprise security is vitally important for organizations to be able to manage their security consistently across their organization. Without enterprise security, organizations run the risk of having different standards and approaches to security within their organization, leading to potential security threats and attacks.
Enterprise security provides effective risk management of security issues and uses periodic security assessments to determine risks, which are documented in a centralized risk repository called the security risk log for management.
Cyber security provides security measures to deal with cyber threats and attacks, with reliance on enterprise security strategies, policies and standards for reference. Allowing cyber security to provide the same consistent security as other parts of an organization.