Upgrade, to FUNCTIONAL cybersecurity - part 2/2

In part 1 of this newsletter, we discussed the need for adopting 'Functional cyberSecurity' framework as its the ONLY way that brings us nearer towards laying ground work for holistic, new-age digital risks management.

In part 2 now, we will define this framework's fitment keeping internal and external auditors as its audience. They tend to 'live by the book' and sometimes are be oblivious of the concepts of infrastructure as code (IaC) and all encompassing azure web app or elastic beanstalk services. We will now discuss the remaining 2 of the 5 principles, that form the core of this framework.

4?? It's a Unified & Integrated - Digital risk mgmt framework

As CIOs morph into Chief Digital Officers (CDO) and CDOs morph into Chief Operational Officers (based upon the maturity of digitized or automated supply chains within an enterprise), security leaders (BISOs, CISOs etc.) will soon find themselves filling up the role of Chief Digital Risk Officers with certain Financial risks (credit, markets, liquidity etc.) falling outside of their ambit. Keeping that near future in mind, the Functional cyberSecurity framework has a 1 to 1 mapping with five of the most recent and relevant industry standards that helps it to effectively manage digital risks identification and their treatment.

• ISO 27001/2:2022. Information & cyber security, privacy protection mgmt system.
• ISO 27701:2019. Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information mgmt (an upgrade of this standard is due in Q4 2024).
• ISO 42001: 2023. Information technology, Artificial intelligence mgmt system.
• ISO 22301: 2022. Security and resilience, Business continuity mgmt system.
• PCI DSS v4: 2022. Payment Card Industry – Data Security Standard ( for FinTech/Retail sector enterprises).

Domains of information security, data privacy, trustworthiness of enterprise usage of artificial intelligence’s security & privacy and securing credit card transactions (where applicable), are tied back to business process criticality (business impact analysis) . As these domains are fast merging with common risks treatments, these five industry standards are considered for creating initial risks management framework that serves entire digital landscape. Moreover, all 5 of these are certifiable standards giving management and regulators an independent verification and validation of effectiveness of FcS.

5?? Proactive Prevention - Shift Left Now!

Lastly, Functional cyberSecurity places strong emphasis on proactive measures to prevent security incidents before they occur. Shift-left security principle aims to embed security as part of digital solutions development process and considers security from the inception steps of application or system design. Tools that can undertake Interactive Application Security Testing (IAST), Runtime Application Self Protection (RASP), Secrets detection or dependency scanning helps developers shift security to the left within DevSecOps lifecycle leading to more secure codebases.

Similarly, to guard against distributed denial of service (DDoS) attacks on microservices based architectures, it emphasises security of the service discovery and API gateway components by implementing access controls, rate limiting, bots management and other security mechanisms. These and more, are catered for in digital security policies that are part of FcS framework.

??Overall, functional cyberSecurity offers a proactive, personalized, and collaborative approach to security that enables organizations to better understand, prevent, and mitigate threats in today's digital threats landscape.

By embracing these five principles, organizations will enhance their defense posture, create demonstrable and repeatable, model for business resilience.

Feel free to connect with me directly or join the peers on UAE | DIGITAL CISO Group ??? to get to know more about this end to end digital risk management framework that makes it a breeze to create strategy, define related programs, create policies with embedded KRIs leading to automated board & executive dashboards.