APT Defense: Executing the Right StandardsDeciding Who Should 'Own' Those Standards
In addition to adopting the right IT security standards to help safeguard systems against advanced persistent threats, organizations need to pick the right people to carry out those standards, says Jon Long, director of compliance solutions at CompliancePoint, an information security consultancy.
Long, who will be a featured speaker at Information Security Media Group's Global APT Defense Summit near New York on Oct. 22, says organizations must take steps to ensure selected standards don't end up as documents filed away on bookshelves that are never used. That may require a change in the corporate culture to make certain someone takes ownership for the standards and their execution.
Most organizations give ownership of standards to a security or compliance officer, but Long suggests "filtering that ownership down to the lowest level of the organization" to the people responsible for and most familiar with implementing security controls and safeguards.
In an interview with ISMG, Long discusses establishing an IT security baseline that should help organizations build a defense against advanced persistent threats. He says the foundation of that baseline incorporates:
- Technology: The basics of cyberdefense are analogous to fielding a strong football team, with skilled players representing the right technologies, Long says. "You want to choose the best defensemen as you can, with the best skills, and employ those in the various zones to cover the areas that needs protection."
- People: Developing a strong cyberdefense goes beyond merely hiring the right people with the right skills; timely training in key. "You've got to make sure they're competent and then you've got to make sure they're staying competent."
- Processes: Organizations must smartly adopt the appropriate critical security controls and standards. "To determine whether a standard is useful or not, you have to understand what it was developed for," Long says. For instance, he says, some organizations apply PCI DSS, a credit card security standard, in places where it may not be suitable.
More information about ISMG's Global APT Defense Summit, to be held at the Hilton Meadowlands in East Rutherford, N.J., is available online.
As director of compliance solutions, Long leads development of CompliancePoint's products. He is a Certified Information Systems Auditor as well as a Qualified Security Assessor in the Payment Card Industry.