Back to the Basics: Security Must-Haves for 2024, Part II 

By: Gary Perkins, Chief Information Security Officer

Welcome to Part II of the Basics of Security. If you missed the first part of the series, you can read it here.

Prerequisites to Success in Cybersecurity 

It is no coincidence that the importance of cybersecurity must be recognized by executives. You must gauge how often executives engage in dialog, how often the topic is on the agenda, and whether there are metrics to understand and follow. But if you don’t know, simply ask someone at the C-level or board of directors “is cybersecurity a top area of concern?” If they hesitate or qualify with “yes, but…” then there may be room for additional education. According to the World Economic Forum (WEF), climate change and cybersecurity are the two top areas of concern to executives globally. Security culture starts at the top and it’s unlikely you will be successful if security is not part of the culture. 

Next, you need to ensure that information security roles and responsibilities are assigned appropriately to employees. You need to identify critical systems and data in your organization (as they represent the “crown jewels”). You should ensure that you know the organization’s risk appetite and that there is a risk register reviewed quarterly by executives. Whenever there is a new system introduced or material change to an existing one, there should be a risk assessment performed and you should conduct a security assessment regularly for the organization using an established security standard.  

There are multiple items and topics that you should ensure are documented and followed in your organization. These items must be regularly reviewed, updated, and tested when appropriate. Those topics include how to manage assets and dispose of them, how to perform Incident Change and Management, your Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), as well as backup and retention, logging, and monitoring. You also need to ensure a Security Incident Response capability (plan, team, runbooks, and drills).  

Of course, all of this should be governed by an Information Security Policy that ensures users know what they should and shouldn’t do, and the capabilities and improvements guided by an Information Security Program. Employees of the organization should be required to undergo background checks as well as wear something that visibly identifies them in the workplace as employees. There should also be other appropriate physical security controls in place.  These employees should also be exposed to a security awareness program with mandatory security training.  

Confidential data should be identified and protected appropriately, and when you develop applications, you should do so in accordance with the Open Worldwide Application Security Project (OWASP) or other secure development guidelines. Make certain that your applications and operating systems used in the organization benefit from vulnerability scans and solid patch management processes. And because one organization can’t do everything themselves, make sure that vendors you rely on are contractually required to have good security practices in their organizations. 

Finally, implement good access control practices where individuals can utilize the systems and data they need, but nothing more. Ensure defense in depth for systems including cloud, networks, and endpoints, and confirm that security is one of the stakeholders required to provide endorsement before budgets for new initiatives are released. 

By taking these basic steps and practicing them consistently you can stop up to 80% of security issues.  

Since we provided a quick assessment last time here’s the slightly more in-depth version: 

Give yourself one point for each item that your organization has effectively implemented. 

Prerequisites to Success for Security:    

• Is the importance of cybersecurity recognized by executives?
• Are the cybersecurity roles and responsibilities identified and assigned?
• Are your ‘crown jewels’ (critical systems and data) identified?
• What is the risk appetite of your organization? Do you have a risk register that is reviewed quarterly at the appropriate level?
• Do you conduct risk assessments when introducing new systems or material changes to existing ones?
• Do you assess your security posture against an established security standard?

Do you have the following items documented and followed? Do you review and update them regularly? 

• Information Security Policy 
• Information Security Program 
• Asset Management and Secure Disposal 
• Incident and Change Management 
• Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) 
• Backup and Retention 
• Logging and Monitoring 
• Security Incident Response 
• Information Security Classification 
• Physical Security 
• Background Checks and Visible Identification 
• Security Awareness Program and Mandatory Security Training 
• Vendor Security Requirements in Contract 
• Application Security  
• Vulnerability Scans and Patch Management

Are you following these practices: 

• Access Control 
• Defense in Depth for Endpoints and Networks 
• Security Governance

How did you score? Any missing items should be remediated or captured on your organization’s risk register. I hope this provided a very quick tool for you to quickly identify areas to follow up on so that you’re doing your part to keep cyberspace safe.