MS Amlin CISO Ali Zeb: split your security teams into 'strategic security' and 'technical security'

Finance industry security pro Ali Zeb explains how he approaches the basics for tackling corporate security

Organisations ought to break their IT security functions into two: a strategic side and a technical side, according to Ali Zeb, chief information security officer (CISO) at global insurance firm MS Amlin.

Zeb was speaking at last week's Computing Cyber Security Strategy Briefing, one of a number of events for IT leaders Computing will be running this year.

"My approach [as a CISO] has been to split it into two separate sections. I set up two teams: one is strategic security and the other is technical security," said Zeb.

He continued: "This is... where many companies go wrong: they build a security function and think they should be able to deal with everything. But in my experience… it always help to break it down into a strategic function and a technical function."

On the strategic side, staff need to be expert in regulatory compliance, security frameworks, policies and so on, while the technical side requires specialists who really understand networks, firewalls and potential security risks from a deep, technical understanding.

Strategic versus technical security

Strategic security

Technical security

Security framework

Hardware hardening

Policy development

Incident response

Awareness campaigns

Firewalls

Security procedures

Anti-virus software

Regulatory compliance

Intrusion detection and prevention

IS management systems

Vulnerability scans

Risk analysis

Penetration testing

Best practices

Data-loss prevention tools

Data privacy

Access control

Crisis management

System security

Organisational view

Network security

Security regardless of technology

System monitoring

Government models

IT disaster recovery

At the same time, said Zeb, organisations need to adopt a framework by which they can manage each element of their cyber defences. This could be based on ISO 27001, but Zeb also pointed to the SANS Institute's 20-point Critical Security Controls as a comprehensive alternative that covers pretty much all the bases.

Organisations - especially IT and security departments - invariably have a habit of skipping frameworks and going straight to the technology, warned Zeb, because putting frameworks and management structures in place "is the boring part of security".

He added: "Many people don't realise how crucial having the right policy or framework in place is. But having a framework doesn't necessarily mean having to certify to your framework. It's just aligning yourselves so you're following the controls, which are set-out by frameworks."

SANS Institute Critical Security Controls

No.

Description

No.

Description

Inventory of devices

Control of network ports and services

Inventory of software

Privileged account management

Secure device configuration

Boundary defence

Vulnerability management

Maintenance, monitoring and analysis of audit logs

Malware defences

Access control

Application software security

Account monitoring

Wireless access control

Data protection

Data recovery capabilities

Incident response and management

Security training

Secure network engineering

Secure network configuration

Penetration testing

For example, he continued, an audit of devices and software might sound relatively trivial, but many organisations really don't know exactly what devices they have connected to their networks, nor the software that ought to be running on staff devices.

Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".

Attendence is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.