1. The status quo of enterprise security
Since the end of 2016, with the outbreak of network security incidents and the importance attached to network security at the national level, network security has risen to the level of national strategy. The fifth space is a new frontier for the construction of national sovereignty.
With the further expansion and deepening of China's opening up to the outside world, as Chinese companies go global and invest in multinational companies, from the perspective of security, corporate network security has also become an important part of the fifth space, but in my years of experience During the security work, it was discovered that many enterprises, especially domestic enterprises, are far behind developed countries in terms of awareness and protection of the fifth space. There are various reasons for this, both internal and external.
This article is a summary of various problems encountered by enterprises in the construction and prevention of the fifth space. At the same time, it also provides direction and ideas for the development of Chinese enterprises and governments in the construction of the fifth space through experience.
At the same time, after Snowden's Prism Gate incident, they also realized the importance and value of network information security to national security.
2. Problems faced by enterprises at this stage
Since the WannaCry virus broke out on a large scale in 2017, enterprises have realized the importance and value of network information security. However, various problems encountered in the construction of the network and information security system of their own enterprises.
2.1 Lack of security personnel
Compared with system engineers, network engineers, programmers, operation and maintenance personnel, quality assurance (QA) personnel, etc., network security personnel have relatively high requirements and need to have a relatively large breadth of knowledge across multiple disciplines. For example, well-known CISSP certification personnel in the US security field need to understand nearly ten fields such as laws and regulations, information asset life cycle, cryptography, physical security, communication security, identity security, security assessment and testing, security operation, and software development security. knowledge.
Understanding and being able to apply this knowledge and experience to actual work requires years of work experience in the security field. This contradicts the rule that many Internet companies in China do not recruit employees over the age of 35.
Another point is that the salaries of experienced security practitioners are generally low, because in most companies I have come into contact with, the positions of security personnel are often placed under the IT department, or even among the operation and maintenance managers. Certainly lead to unequal income and responsibility.
Suggestion: Refer to the GDPR implemented in Europe last year. Enterprises with a data volume of a certain size need to set up a DPO (Data Protect Officer), and these DPO commissioners can directly report to the exclusive government data security department in the event of a major security incident or data leak. department to report. And the job responsibilities of these DPOs are protected by law, and companies cannot dismiss them because they are dissatisfied with the DPO's work.
At present, China's "Network Security Law of the People's Republic of China" has clarified that the security of enterprises should be implemented by people, and the responsibilities and punishments of security personnel have been clarified from the legal level, but it is still necessary to assign a certain scope to the security personnel who take responsibility. In order to break the unequal situation between responsibility and right.
2.2 A lot of security funds have no real benefit output.
Among the many companies I have contacted, some leaders of the companies said that the investment in security products is really huge, and security is a luxury. Whether to invest or not to invest does not actually help the operation of the enterprise. .
There are a wide variety of firewalls, intrusion detection, and anti-virus software, and many merchants have exaggerated products such as firewalls and invincible walls in their commercial activities, which has made the company's security investment in vain.
There are also listed companies that encounter ransomware and directly ask suppliers to pay for it, and then pay the ransom to the supplier through a contract, and calculate an account. Assuming that ransomware comes once a year, each payment is 300,000-500,000. If The investment in safety should not be less than 500,000 yuan per year, and it is a long-term investment. There are so many Chinese companies that will not encounter it every year.
Suggestion: The efficacy testing of security products is the problem to be solved in this article. You can refer to the "Application-oriented Enterprise Information Security Architecture System" for enterprises. Security awareness also needs policies, regulations, financial supervision and other means to regulate. Mechanisms such as the establishment and reporting of enterprise information security specialists and information disclosure can also help enterprises establish long-term security mechanisms.
2.2 Transferring Security Costs
Many companies will transfer their security investments to third-party companies or individuals. For example, in 2018, the personal information leakage of HZ Group finally caused more than 500 million Chinese personal data to flow overseas, and the problems caused by enterprises were ultimately borne by individuals.
2.3 Blind selection of security products
Due to the particularity of domestic industry procurement and the value system of domestic enterprises, most security hardware and software manufacturers and integrators promote it in a top-down manner. Because the decision-making layer lacks an actual security framework And the relatively one-sided understanding of the actual product leads to a lot of security investment in the end. For example, many business leaders blindly listen to the functions of DLP, spend a lot of money and manpower to do DLP, and in most of the DLP projects I know, in the end, all the staff resisted and ended up wasting money.
Suggestion: Multinational companies will spend a lot of time on research before establishing a security line, and even hire a professional security consulting company to design. It is better for domestic enterprises to find a security consulting company to do some understanding before establishing a security baseline, which can ensure that the company's security product selection has a clear direction.
2.4
The problem of lack of systematic guidance for the establishment of security baselines is similar to the previous problem. Some companies pay attention to security and also pay attention to security, but the problem of lack of good systematic guidance is actually due to the problems extended from the two points 2.1 and 2.3 in the previous article. . It is often encountered that the very important core databases of many companies are not protected, and a lot of money is spent on network security.
2.5 Summary
For most enterprises, a qualified security consulting company and senior security personnel are selected to thoroughly sort out the enterprise's security framework and security planning.
In most cases, security personnel or security consulting companies need to sort out the business and data of the enterprise, and then design their own security framework system according to the respective situations of the enterprise. At the same time, security personnel must keep up with laws and regulations. At present, many multinational companies have set up security departments and compliance departments in China. These functional departments report directly to the CEO, CSO, and CIO.
The introduction of the "Information Security Level Protection Management Measures" is also a kind of awareness for the government to set up a security baseline for enterprises. Through qualified security consulting companies to sort out the security of enterprises, there is a good improvement from the information level to the level of personnel awareness. "Application-oriented enterprise information security architecture system" also helps enterprises establish their own information security baseline.
3. How to resolve conflicts during development
As an enterprise and an entrepreneur, the primary goal is to operate the enterprise, produce products or services, and then sell them to earn profits. Other things are not the concern of enterprises, but as the degree of enterprise informatization increases, the status of security becomes higher and higher. In order to ensure the maximum effect of enterprise security investment, information security construction should adopt a gradual and orderly approach and establish a security baseline 1. Responsibility is implemented from the perspectives of people. The promulgation and revision of relevant laws such as the Internet Law and the Personal Privacy Law are to require companies to assume their social responsibilities from a legal perspective.
"Application-oriented enterprise information security architecture system" is applicable to the step-by-step framework for enterprise security construction when the establishment of the security baseline has been completed and the actual security responsible and processing personnel are already in place.
This framework has been used by many large Internet companies and some multinational companies. I hope this security framework can help and learn from the security construction of enterprises and security practitioners.
4. Application-oriented enterprise information security architecture system
The application-oriented enterprise information security architecture system mainly protects the information and data of the enterprise's network and terminals, and does not involve the physical security of these devices.
The architecture system is designed to allow all data to be physically connected, in-depth analysis of suspicious data, and a framework system for blocking malicious behaviors, which have the least impact on the business of the enterprise, but are carried out in the most accurate way.
