Daniel Blum - Academia.edu (original) (raw)
Papers by Daniel Blum
The security-related roles discussed in Chapter 2 must be enacted in security governance and esta... more The security-related roles discussed in Chapter 2 must be enacted in security governance and established in security policy. Security governance is a set of processes and capabilities operated jointly by security and business leaders to establish and oversee appropriate operation of the security program. Through security governance, the combined leadership can manage cybersecurity risk, security policy, resource allocation, and reporting to executives and stakeholders.
Rational Cybersecurity for Business, 2020
Cyber-resilience provides the ability to withstand and mitigate the impacts of information risks.... more Cyber-resilience provides the ability to withstand and mitigate the impacts of information risks. Businesses can start to become more resilient by identifying their critical assets, top risk scenarios, and basic contingency plans. Then, by aligning technical security capabilities with IT operations and other business functions, security leaders can enable the business to detect suspicious or anomalous events earlier, and respond and recover faster from incidents such as breaches or system outages. Incident response (IR) is closely linked to security monitoring and detection. It should be managed by a dedicated group (or person) that coordinates closely with security operations, legal, HR, and other functions. Businesses should develop response plans for common types of incidents and for potential incidents from top risk scenarios. Enact response in a structured manner wherein each business function has a script for its part; for example, after a data breach, IT restores affected systems to normal operation, public relations communicates with the media, and the legal team notifies customers or partners of lost personal information. Businesses can lay the groundwork to enable recovery from serious incidents by performing business impact assessments that identify critical assets and developing business continuity plans to restore or recover the assets. Recovery plans may overlap response plans in the case of cyber-incidents, requiring that business continuity teams and IR teams coordinate. Strictly operational incidents such as hardware failures fall purely in the purview of the business continuity function.
Rational Cybersecurity for Business, 2020
Access control is required for most IT assets, and many of the access rules must be managed by no... more Access control is required for most IT assets, and many of the access rules must be managed by nontechnical business users. The work of managing access controls ("access governance") involves both identity and access management (IAM) and data protection disciplines such as information classification and data governance. IAM and data governance are vital for reducing breach risk and complying with privacy-related regulations. IAM alone represents three of the control domains from Chapter 6's list of 20 control domains. IAM is technically complex and highly people centric. It requires cross-functional engagement across many business, IT, and development teams. In short, the perfect storm for Rational Cybersecurity! Most digital businesses literally can't run without digital identity authentication, authorization, and access management capabilities. Paradoxically, the more dependent digital business becomes on digital identity, the more privacy risk it creates for persons, and that feeds back into regulatory and reputation risk for the business. Personal data has been termed "the new oil"-as much as it powers business, it's toxic when spilled. And yet we rely on IAM not only to identify and authenticate users, services, and devices but also to enable digital relationships. Access control may protect the business, but digital identity enables it. If a business were committed to being agile and flexible at all costs, it would tend to grant high levels
Rational Cybersecurity for Business, 2020
Information Standards Quarterly, 2014
This has been Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignm... more This has been Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment. I’ve made this guidance as detailed and specific as possible because all too often, we get only platitudes or generalizations on the topic. We can’t afford that anymore. Misalignment between security and the business has a corrosive effect on any security effort it touches. And as organizations transform into digital businesses, they fall under increasing IT-related risk and regulation. Aligning security to business leaders and business processes is exponentially more important now.
Amid complex business, technology, regulatory, and threat landscapes, risk management is a compli... more Amid complex business, technology, regulatory, and threat landscapes, risk management is a complicated discipline. Businesses need an organizing framework. In this chapter, I’ll use the ISO 31000 Risk Management model – which enjoys broad industry consensus – as our organizing framework. I’ll walk through each element of the framework while providing guidance for security leaders on how to align with diverse business stakeholders on building or improving risk management processes.
The security-related roles discussed in Chapter 2 must be enacted in security governance and esta... more The security-related roles discussed in Chapter 2 must be enacted in security governance and established in security policy. Security governance is a set of processes and capabilities operated jointly by security and business leaders to establish and oversee appropriate operation of the security program. Through security governance, the combined leadership can manage cybersecurity risk, security policy, resource allocation, and reporting to executives and stakeholders.
Rational Cybersecurity for Business, 2020
Cyber-resilience provides the ability to withstand and mitigate the impacts of information risks.... more Cyber-resilience provides the ability to withstand and mitigate the impacts of information risks. Businesses can start to become more resilient by identifying their critical assets, top risk scenarios, and basic contingency plans. Then, by aligning technical security capabilities with IT operations and other business functions, security leaders can enable the business to detect suspicious or anomalous events earlier, and respond and recover faster from incidents such as breaches or system outages. Incident response (IR) is closely linked to security monitoring and detection. It should be managed by a dedicated group (or person) that coordinates closely with security operations, legal, HR, and other functions. Businesses should develop response plans for common types of incidents and for potential incidents from top risk scenarios. Enact response in a structured manner wherein each business function has a script for its part; for example, after a data breach, IT restores affected systems to normal operation, public relations communicates with the media, and the legal team notifies customers or partners of lost personal information. Businesses can lay the groundwork to enable recovery from serious incidents by performing business impact assessments that identify critical assets and developing business continuity plans to restore or recover the assets. Recovery plans may overlap response plans in the case of cyber-incidents, requiring that business continuity teams and IR teams coordinate. Strictly operational incidents such as hardware failures fall purely in the purview of the business continuity function.
Rational Cybersecurity for Business, 2020
Access control is required for most IT assets, and many of the access rules must be managed by no... more Access control is required for most IT assets, and many of the access rules must be managed by nontechnical business users. The work of managing access controls ("access governance") involves both identity and access management (IAM) and data protection disciplines such as information classification and data governance. IAM and data governance are vital for reducing breach risk and complying with privacy-related regulations. IAM alone represents three of the control domains from Chapter 6's list of 20 control domains. IAM is technically complex and highly people centric. It requires cross-functional engagement across many business, IT, and development teams. In short, the perfect storm for Rational Cybersecurity! Most digital businesses literally can't run without digital identity authentication, authorization, and access management capabilities. Paradoxically, the more dependent digital business becomes on digital identity, the more privacy risk it creates for persons, and that feeds back into regulatory and reputation risk for the business. Personal data has been termed "the new oil"-as much as it powers business, it's toxic when spilled. And yet we rely on IAM not only to identify and authenticate users, services, and devices but also to enable digital relationships. Access control may protect the business, but digital identity enables it. If a business were committed to being agile and flexible at all costs, it would tend to grant high levels
Rational Cybersecurity for Business, 2020
Information Standards Quarterly, 2014
This has been Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignm... more This has been Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment. I’ve made this guidance as detailed and specific as possible because all too often, we get only platitudes or generalizations on the topic. We can’t afford that anymore. Misalignment between security and the business has a corrosive effect on any security effort it touches. And as organizations transform into digital businesses, they fall under increasing IT-related risk and regulation. Aligning security to business leaders and business processes is exponentially more important now.
Amid complex business, technology, regulatory, and threat landscapes, risk management is a compli... more Amid complex business, technology, regulatory, and threat landscapes, risk management is a complicated discipline. Businesses need an organizing framework. In this chapter, I’ll use the ISO 31000 Risk Management model – which enjoys broad industry consensus – as our organizing framework. I’ll walk through each element of the framework while providing guidance for security leaders on how to align with diverse business stakeholders on building or improving risk management processes.