Data. Everything revolves around it in today’s digital era. Consider the increased interactions between humans and machines or machines and devices. Our evolving interconnected world continues to generate data from phones, computers and other smart devices (TVs, thermostats, speakers and lights for example).
But how do we know when our data is being collected, stored and accessed by another system? Do we know what data is being pushed to the cloud from our smart devices? And, what if our data can be accessed by someone who should not have access to it?
To protect important and confidential information at an enterprise level, companies build a plan; buy appropriate tools; and design safeguards for it. Assigning liability to a data collector is not enough, companies need to make sure that data remains safe. So, what steps should organizations take to better protect data?
Setting High Security Standards
While we cannot assess the security maturity of all vendors, we can gauge their transparency about disclosing security issues. When the products they sell have a potential security vulnerability or the data they collect is potentially accessed as the result of a security incident, what is their incident response process and how do they inform customers?
Most vendors use security tools such as automated intrusion detection systems, firewalls, anti-virus and manual reporting processes to help identify anomalies. But, without a process to quickly and accurately identify events that pose serious security threats, vendors can be exposed to a higher risk of a breach. What they need is a comprehensive security program that includes proven response practices to prevent similar attacks from reoccurrence and to protect them from new or zero-day vulnerabilities.
At Acuity Brands we recognized the need to enhance the prevention aspect of our product security team’s program. In the security world, prevention programs like this are commonly put in place by a Product Security Incident Response Team, or PSIRT.
PSIRT’s charter is to identify strengths and gaps within the security program for technology products and services. The team takes a proactive and centralized approach to address security concerns in the increasingly digital and cloud-based business environment driven by the unknown. In our company’s situation, this charter applies to all Acuity Brands’ products containing software or firmware components in their use, maintenance or management. PSIRT’s daily job is to manage receipt, investigation and notification procedures regarding security vulnerabilities and security incidents with stakeholders such as consultants, customers and security researchers.
The goal is two-fold: to prevent any exposure of data and to maintain the integrity of the operating environment. It is a supplement to our security program, going beyond the basic embedding of tools into policies and practices across a businesses’ functions. And, to be clear, our data does travel at the speed of light.
Our team has experts with an average security experience of over 20 years. They are already working with our analyst firms, customers, technology partners and others to establish best practices in the industry. Read more about the PSIRT and the security model developed to boost cloud security with a vulnerability-identification and prevention program.
Wouldn’t it be nice for a vendor to embed security in all aspects of development processes? Look for future blog posts that will dive into the security model in detail. The goal is to create a dialogue around the security profile of organizations and businesses, which is focused on securing products and services in our digital era. You can reach me at Jazib.firstname.lastname@example.org.
Vice President Security Architecture
Acuity Brands Lighting
Jazib Frahim has worked in the Information and Cyber Security domain for over 20 years, dedicating the scope of his professional career to secure IT and IoT infrastructures. He has developed many Cyber-Security solutions, frameworks and methodologies that focus on information protection and business agility. These solutions are designed to align with market trends, customer needs and growth targets. He has authored six books, is a named inventor on six patents/patent applications and has presented at various executive forums, CISO Seminars and major industry events.