Protecting your company’s assets from an increasingly diverse range of cyberattacks requires employing all sorts of measures to enhance information security. However, given the breadth of security measures available, it is likely that more than a few companies are at a loss about where to begin. We asked Osamu Watanabe and Marika Mori of NRI SecureTechnologies (NRI Secure) about why it’s important to visualize your security measures.
“Sorting” is The Key to Efficiently Pursuing Security Measures
Cyberattack methods are becoming more and more diversified these days, with techniques like targeted attacks aimed at confidential information stored at companies, DDoS attacks that create enormous processing loads on web servers to disrupt normal operations, and also ransomware frauds which were a hot topic last year. Although security measures are what companies need to protect their assets from these kinds of cyberattacks, the fact is that there are no solutions that provide absolute security simply by adopting them, and various means need to be employed to enhance security. However, given the breadth of security measures available, more than a few companies are at a loss about where to begin. Given these circumstances, what is the first step companies should take? Senior Security Consultant for NRI Secure Osamu Watanabe offers the following advice.
“You have to firmly define what needs to be protected within your company, and then work out a complete picture of the security measures you need to do so”, he says. “After that, you go about sorting between the aspects you’ve been able to implement and those you haven’t. If you know where you don’t have effective measures in place, you can choose to prioritize those areas, and if your measures are excessive in any way, you also have the option of making the decision to discontinue them. We see this sorting as being an extremely important process for efficiently pursuing your security measures.”
Forming a definite and total picture of your security measures and sorting out your operational situation enables you to “visualize” your security, which not only makes it easier to explain the details to top management, but also is useful for contemplating the next measure to be taken. These days in particular, security needs to be regarded as a management issue, and top management needs to contribute actively to promoting security measures, meaning that visualizing the situation is extremely important for them to fulfill their responsibilities to stakeholders.
A Framework for Comprehensively Diagnosing the Status of Your Security Measures
NRI Secure has built a unique framework that will enable companies to visualize the status of their security measures.
“There are various types of frameworks out there, but they have different purposes and applications, as well as different viewpoints for analysis, so it’s been difficult for companies to have a perfect command of them. In order to comprehensively implement the security measures that companies need, NRI Secure has created a new framework that we believe to the best based on its track record, and we’re giving consultations on how companies can visualize the status of their security measures on the basis of that framework.”
Based on this framework, NRI Secure is now providing a new service free of charge known as “Secure SketCH”. This service works by having users answer 78 questions, and then producing an assessment comparing your responses against the statistical data of at least 600 Japanese companies. Here to explain the advantages of this service is Marika Mori, a Security Consultant at NRI Secure who was involved in the development of “Secure SketCH”.
“Security measures aren’t just about the technical aspect of deploying anti-malware software or a firewall—you have to take measures from a non-systems perspective as well, with things like employee training and creating incident response teams. One of the features of this framework is how it allows you to comprehensively decide all of those things. While our base framework involved some 170 questions to start with, we also extracted their core essence and narrowed it down to 78 questions, so that security officers at our client companies would be able to run their own diagnostics.”
Watanabe also had this to say. “It’s not just a matter of what you’ve implemented. What’s also important is the maturity of your measures, namely in terms of whether you have an established process for periodically conducting reviews and running updates. The framework integrated in Secure SketCH also incorporates criteria for judging the maturity of your measures.”
Visualizing Your Priorities and Creating Security Enhancement Measures from the Most Important Ones
When you answer its questions, Secure SketCH outputs an assessment comparing your responses to the statistical data of at least 600 companies, displaying your score, rank, and deviation value. Not only does this let you grasp your company’s situation, but the service also comes with a function that helps you formulate plans for enhancing your security measures. On the screen showing your response assessment, the information is arranged based on the weighting defined by a security consultant. Using this system lets you confirm your measures in order of their greatest importance, and thus is helpful when considering which measures should be implemented with greater priority. There’s also a feature for running a simulation to see how your assessment would change if a measure were actually implemented, and this too can be used when thinking about putting certain measures into practice.
In the future, we plan to provide screens that let you make comparisons and assessments based on industry type and sales volume, and provide a fee-based feature that allows you to visualize your state of compliance with cybersecurity guidelines. We are also looking into providing a group diagnostic feature for grasping and assessing the status of measures for the overall group in a centralized way.
Lastly, Watanabe says “We’re keen to have companies try our service, especially those that have never before had the opportunity to consult about security. Secure SketCH incorporates a framework that NRI Secure actually uses in its consultations, and was specially developed to allow companies to rapidly and effectively understand their situations. We encourage our clients to make use of this new service, so that it can serve them by revealing the current situation with their security measures and helping them formulate policies going forward.”
NRI Secure Technologies members Mori(L) and Watanabe(R)
Nomura Research Institute, Ltd.
Corporate Communications Department