By Thomas Coffey, VP of Security, CISO Global, Inc.
A basic Google search for the term “cybersecurity” will turn up dozens of competing advertisements for companies promising to solve all your security woes and keep attackers at bay with their version of a “technology silver bullet” – the end all be all that you must, according to them, purchase right now. It’s not that technology isn’t essential to your security strategy; it’s vital! But there will always be a need to build a solid, layered cybersecurity program that follows best practices and is focused not on technology, but on practitioners. In the age of AI, one may wonder why a need for practitioners even exists, but the answer to that is simple. Every solution, no matter how smart it is, has to be architected, configured, integrated with existing technology, aligned to an organization’s business plans not only for the present, but for future growth, and those strategies can only come from an experienced practitioner. Practitioners have the experience, insight, and foresight to ensure you get the ROI you need from the technology you’ve purchased. This is a big part of what it means to build a culture of cybersecurity.
Building a practitioner-focused cybersecurity program requires a structured approach that involves several key steps. Here are some best practices for building a cybersecurity program that is focused on practitioners:
Conduct a 3rd Party Risk Assessment
Start by having an objective party assess the cybersecurity risks facing your organization. This will help you identify and provide a prioritized, documented list of the corporate assets that need protection. While it may seem straight-forward, you will quickly find that defining what data you have, how it is classified, where it lives, and what data you didn’t even know about, is a revealing exercise. Environments change so quickly from year to year that even having performed classification and assessments in the past won’t preclude you from needing an updated and thorough risk assessment. Once you know what you are working to protect, the expert who performed your cybersecurity risk assessment can then inform the types of threats and attacks that are likely to target those assets, as well as the vulnerabilities in your environment that could be exploited by attackers. Since attack trends change over time, it’s wise to work with someone who takes a risk-based, threat-informed approach and is very familiar with what’s happening both on the dark web and in the incident response sector.
Develop Cybersecurity Policies
Policy and documentation are probably the least “sexy” tasks associated with a cybersecurity program, but they are among the most important. Without policies, IT teams and end users are left to guess at what kinds of technologies, configurations, and activities are permissible as means to accomplish their work. This creates a culture of subjectivity and relativism, which can give way to confusion, shadow IT, and even accidental (or intentional) internal compromise of valuable digital assets. Without policy, your teams have no way to go back to a single source of truth to instruct people with objectivity, which then puts the onus on your IT teams to crack down on activities that are actually unclear to end users – a scenario that could foment friction between teams. Policies take subjectivity out of the equation, fostering an environment where there are defined parameters, and employees can work with confidence, knowing they are operating fully within technologies, practices, and configurations that have been approved by the company. Your cybersecurity policy will need to outline your organization’s goals, objectives, and strategies for protecting against cyber threats. Make sure the policy is clear, concise, and easily understood by leadership, practitioners, and end users alike.
Establish a Security Framework
Using your detailed risk assessment report, establish a security framework that defines the technical, administrative, and physical controls needed to protect your organization’s assets. Even if you are under compliance to meet the cybersecurity standards associated with frameworks such as HIPAA, PCI DSS, NERC CIP, or CMMC, you will be wise to consider highly respected industry standards and selecting the best options among security practices to guide your efforts. To do this, you would aggregate all major standards with which you must comply to create a controls list that will allow you to meet most – if not all – requirements across those frameworks with the fewest number of controls for efficiency. If, for example, you must meet both PCI DSS and GDPR requirements for data protection, and you are given the choice between basic encryption and tokenization to meet a requirement, you would choose to tokenize, as it meets both PCI and GDPR data protection requirements at the same time. The NIST CSF is generally accepted among practitioners as the most comprehensive, up-to-date framework currently available to support this aggregated approach to concurrently meeting multiple compliance frameworks. For that reason, many auditors and assessors utilize it as their default, unless auditing for a specific compliance need.
Provide Training and Awareness
Providing training and awareness programs for practitioners to help them understand their roles and responsibilities in maintaining cybersecurity will help upskill and empower your team to support continuous improvement internally. There is a seemingly limitless amount of certifications or new awareness issues they will want/need to accomplish this goal, so I encourage you to consider annual and ongoing professional development investments. Not only will you increase your team’s ability to create a culture of cybersecurity, but you will continually better your organization’s odds of falling victim to attacks. After all, the more informed eyes and hands on your policies and technologies, the better. You can only be as strong as your team, and building expertise in-house enables you to empower your people to train their peers, lead with more effectiveness, and stay on the same page with ongoing progress. You can begin by including topics such as password management, phishing awareness, and incident response, and move into specific technology management certifications. Additionally, if your organization has plans to expand its business lines, such as offering services to the DoD, you can plan for audits and upskill your teams to perform expanded roles they will need to support for compliance in those industries.
Implement Technical Controls
Once you have a security framework in place, you will need to architect and implement technical controls that align with that framework. Since most organizations building their cybersecurity program are not starting from ground zero, this is likely to look like a unified approach to improving your existing environment, in which you probably have servers and some basics, like firewalls and backups. This is where you will need to make a strategic decision about how you want to work with vendors. If you’ve been working with a managed IT services provider (MSP), you will want to investigate the extent of their cybersecurity expertise. If you are not dealing with certified security architects and risk advisory consultants, this would be a good time to include someone who has a Strategy & Risk practice, so they can help you avoid common mistakes like add-on solutions, versus secure architecture out-of-the gate. Done properly, this can help you reduce vendor overload and expensive system replacement projects in the future. An experienced Strategy & Risk expert will help you design MFA, intrusion detection and prevention systems, endpoint security, security monitoring, and other needed solutions. Make sure the controls are effective and regularly tested.
Establish and Test Incident Response Procedures
There is little worse in IT than being faced with an emergency cybersecurity situation for which you have no proper plans. The plan should include procedures (which are aligned to your compliance frameworks) for internal call lists, backup and restoration, reporting incidents, isolating affected systems, legal response, cyber insurance, recovering from attacks, and more. Developing incident response procedures that detail how every member of your team will respond to cybersecurity incidents is essential.
Once the plan is complete, you will not only want to educate and train internal stakeholders but engage in tabletop exercises to make sure the plan is airtight. Tabletop exercises are live simulations that should be performed by seasoned incident response professionals and consultants, as they will help you think through all aspects and scenarios you may have missed when designing your plan. For example, is there a plan for what to do if you lose access to backups, or power goes out, or you have staff turnover? Is there a media plan? What about legal? There are so many things to think about in emergency planning that it pays to get help finding and fixing your plan’s gaps during a live walk-through – before you are faced with a live cyber incident.
Monitor and Measure
Establish a monitoring and measurement program to track the effectiveness of your cybersecurity program. Use metrics such as the number of blocked attacks, time to detect and respond, % of successful backup failover tests, vulnerability remediation progress (with an up-to-date list of outstanding vulnerabilities), and the number/cost of incidents over the previous year as an informal gauge of the success of your program. However, you should also perform regular penetration tests of your environment and any applications you are developing, as well as conduct regular security risk assessments to track progress over time and identify areas for improvement.
Can you still have a practitioner-focused cybersecurity program if your staff is limited to IT practitioners?
It’s true that security experts are in short supply, with roughly 2.5 million job openings unfilled at any given time, due to the ongoing cybersecurity workforce and expertise gaps. However, you can still build a practitioner-focused cybersecurity program if you use your existing resources wisely. Utilizing outsourced consultancies to support your organizational strategy, while also arming your internal IT teams with upskill certification programs, you can build an enterprise-grade security program that will evolve to mitigate new risks and attack trends. Your outsourced experts can help architect your technology strategically in a way that maximizes the capacity of existing internal teams, helping you stretch resources to meet needs.
In summary, building a practitioner-focused cybersecurity program is accessible if you stretch resources wisely, and successful implementation requires a structured approach that includes a risk assessment, policy development, security framework, training and awareness, technical controls, incident response procedures, and monitoring and measurement. By following these best practices, you can develop a cybersecurity program that is effective, efficient, and focused on the needs of your practitioners.
To speak with someone about building or improving an existing security program, reach out to us today.