Soteryan’s Salim Neino sets out the five key building blocks that companies need to focus on in order to create a solid cyber security strategy.
Maintaining a solid cyber defence is challenging and relentless. Not only do chief information security officers (CISOs) find themselves waging a defensive war in a constantly changing threat landscape, they can find themselves battling on the home front to secure the budgets they need to do their job.
Return on investment (ROI) and analytics are the bane of cyber security. Even looking around at the companies getting breached and with the threat of potential heavy fines thanks to GDPR, there is still no way to demonstrably prove exactly what you’re saving as companies get breached anyway.
This means that having a solid, over-arching security strategy in place is essential, as without it there is no justification for increasing budgets. But again we have a challenge here – every company is different and there is currently no template to work to. And without a template some would rather do nothing; but in today’s climate with tightening regulations in the US and European Union, doing nothing is not an option.
With this in mind, here are the five key pillars that will enable CISOs to build their own bespoke cyber security strategies:
1/ Threat Modelling
You need to have a clear vision and understanding of the threats that are relevant to your business. All businesses are different and too often security professionals set out to cure all problems for all companies. The reality is that many companies have very different models, for example the security needs and priorities will be hugely different between a chemical company and a financial company. If you understand where your business and your threat surface fits in, you will be able to more accurately target your resources.
2/ Security Analytics
There is an old customer service truism here that you need to keep in mind: if you don’t tell your customers what you’re doing they’ll assume you’re doing nothing. In this instance your customer is the board. You have to be able to account in some way for your performance, and present that in the form of a report to them. This is an area where many CISOs fall down as it can be difficult to do this with security – you’re often doing so much, but there is little to report as it takes a huge amount of time to aggregate that information into meaningful reporting. If you put in place a security analytics program you will be able to report more effectively on what you are doing and gain greater confidence with the board
3/ Business Risk
Most companies will only have a partial view of their risks, which means any security strategy is likely to be flawed in some way. For example, organisations amass large amounts of sensitive personally identifiable information – from social security numbers to driver’s license numbers and credit card information – across a wide range of different storage media, most of which the organisation’s don’t know about. Unless you have full visibility of this data you cannot manage the full extent of your risk – understanding, measuring and putting a value on this risk is essential.
4/ Finding the Right Partners
There is often a very real lack of resources in the cyber security sector, so CISOs need to work twice as hard to surround themselves with subject matter experts that can genuinely help them. This is likely to mean looking outside the company, while being careful to ensure the credentials of your trusted advisors – some people have jumped onto the bandwagon of cyber security and have not grown organically with the sector so don’t have the true depth of knowledge you need.
5/ Build a Security Framework
Your framework will be a series of security guidelines that sets out how to manage your security procedures. It needs to be repeatable and able to be delegated to as many people as possible. There are plenty of resources out there that you can use to help you draw up this framework – you can use a customised/prioritised ISO Framework, or NIST Framework weighed to your specific needs. By prioritising this framework you’re ensuring you’re not trying to “boil the ocean”. For example, with the Sans 20 (a series of 20 “critical” security controls) no one is going to need or be able to implement all 20 controls. By prioritising this list against your own needs, you are protecting what matters to your business.
The critical underlying point that runs through all this is that you can’t put the same level of vigilance on everything when you’re creating your strategy – you need to focus on the areas that can hurt you and build out from there. This is the core of what threat modelling is all about, security analytics is the measurement of that and risk assessment is looking at which items to protect.
If you then add the right people into this you create a formal security programme where everyone knows what they are doing and understands the cyber risks. Everyone knows what matters to the company, and you know where your company’s weak points are and can plan an agile roadmap to manage your security position.
You’ve now moved from fire-fighting to focussing the limited resources and budget at your disposal in the best way possible. Even if you do get hacked you can show clearly what you’ve done and why, and that puts you in a position of power.