The realm of cybersecurity is filled with different types of expertise. The discipline encompasses everything from advanced Machine Learning to training employees not to reuse old passwords.
There is no single body of “required” cybersecurity knowledge that can help every organization. Instead, security leaders must be capable of assessing their organization’s own priorities.
These priorities include:
- The regulatory requirements they must comply with
- The data assets they care about most
- The services they aim to preserve above all others
- The negative outcomes they seek to most avoid
Each organization’s given priorities will inform the basis of a cybersecurity management framework. The framework they develop will inform decisions at all levels of technological infrastructure, and at all levels of organizational activity.
One of the most important steps organizations overlook is they fail to perform a complete inventory of the above priorities. Employees and leadership must refer to them often, update them regularly, and ensure that they act as the main drivers behind their security strategy.
Recognize That Total and Complete Security Is Impossible
The only way to 100% completely avoid a data breach, from now until eternity is to not have any data. Similarly, the only way to guarantee you will never have unauthorized remote access to your systems is to disconnect them entirely. Even then, you must physically secure these assets, and the only way to do that with 100% certainty is to lock them up and throw away the key.
We propose these exaggerated scenarios precisely because their ridiculousness illustrates the paradox of security: perfect security would completely get in the way of using the technology we want to secure. One could even draw a comparison to border security of nation states: the goal is not to prevent ALL movement in and out of the border. Rather, it’s to prevent access by unauthorized people for unauthorized reasons, while limiting the burden on people and goods entering as-intended.
All business, and indeed all technology, represents a paradox: to allow your data and your digital services to be useful, you must make them accessible. And to make them accessible makes them at least somewhat vulnerable.
Another paradox, of sorts, is that an organization throwing every last security measure on the planet to protect information or services would cause itself to go bankrupt. Facing this reality, businesses must come to grips with two truths:
- Every single security decision involves tradeoffs between budget, strength of security, and ease of access
- The primary goal of cybersecurity is not to secure things (assets, networks, data, etc.) against all risks, but to make it reasonably safe to use those things as intended
The third, and hardest, truth is this: at some point, your security plan will fail, in some form of fashion. Your organization must be prepared to react to these failures, mitigate damage, and have a plan to recover from the incident. These three realizations make up the basic foundation of a practical, and practicable, cybersecurity framework.
Cybersecurity For Beginners
Getting Started on a Security Framework — AKA “Get By With a Little Help From Your Feds”
Sometimes, even if you are a highly experienced subject matter expert, it helps to go back to basics. Foundational knowledge has a way of clarifying goals and cutting through all the distracting noise. Even if you are entering (or are currently at) a relatively mature firm, it’s easy to miss the forest for the trees when it comes to keeping focus on the things that matter most.
Recognizing the complexity of cybersecurity, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) developed a Cybersecurity Framework to assist business leaders in wrapping their head around the discipline.
The NIST Cybersecurity Framework proposes five main areas of concern, modeled after five action verbs indicating the main responsibilities of those in charge of securing their organization:
- Identify
- Protect
- Detect
- Respond
- Recover
Identify
Job 1 is to inventory all vulnerable information, assets, and entry points. This list includes all of the software, digital services, network connections, etc. involved in your business activities.
For smaller business operations, this list may seem simple and short, but recognize that when you rely on service providers of any sort, hundreds (often thousands) of discrete microservices are involved. These technologies can include as the separate services that exist for secure payment, inventory management, cloud data storage, etc.
Depending on your resources, you may be able to rely upon an attack surface management platform like Lucidum for identifying all of your assets, but if not then you can refer to documentation created by service providers to understand the full extent of connections that directly touch your company data and infrastructure. You can also consult with IT to obtain a configuration item (CI) list that should fairly exhaustively cover most (but likely not all) of items of concern.
Your next step after identifying these items is to develop policies that detail:
- Priority tiers for level of importance of particular data and assets
- Roles and responsibilities for employees, vendors, and anyone else with access to sensitive data or assets
- Steps to take to protect against an attack and limit the damage if one occurs
Protect & Detect
Cybersecurity protection consists of multiple forms. It includes identity and access management (IAM), encryption, and more. Refer to the MITRE ATT&CK Matrix for comprehensive understanding of all measures that can be implemented in order to protect assets.
Be certain that protection measures reflect the priorities indicated in your initial policies. Top-priority items should be the most-secure and represent the focus of the “lion’s share” of cybersecurity investments. You wouldn’t purchase a $12,000 garage security system to protect a 1991 Geo Metro worth $1,200!
Active detection measures should be put in place to check for unauthorized users, as well systems that persistently monitor for suspicious or unauthorized activities by sanctioned users.
Respond & Recover
Operate under the assumption that a cybersecurity compromise will some day happen. Your business should have a plan in place to continue operations, to the extent possible, and halt further efforts to exploit your data/systems.
All attacks should invoke a response that notifies affected customers, employees, vendors, and partners as well as law enforcement.
Your organization should be capable of investigating the source of the attack and then updating cybersecurity policies along with an action plan that takes into account lessons learned.
Recognize that, in addition to intentional outside threats (i.e. hacking), there may be inadvertent cybersecurity risks from employees as well as non-human risks from severe weather events. Have a system in place to regularly backup and safely store sensitive data, as well as protocols to restore service and equipment ASAP in the event of a disruption.
Compensating Controls
Compensating controls seek to address security goals without resorting to the most-expensive, most-comprehensive, or best-of-breed solution. It’s another way to say “smart countermeasures.”
For example: the goal of preventing website hacks is to avoid service disruption, as well as the public embarrassment that can come with it. Compensating controls to fulfill these goals may not seek to entirely prevent hacks but rather to provide a secondary “backup” version of the site available at a moment’s notice.
Per NIST: “By understanding your risks, you can know where to focus your efforts. While you can never completely eliminate your risks, the goal of your information security program should be to provide reasonable assurance that you have made informed decisions related to the security of your information” to which we would add “security of your technology in general.”
Address Concerns of Organizational Stakeholders With a Multi-Pronged cybersecurity Strategy
Going beyond the basics, modern organizations must recognize that their cybersecurity requirements will be coming from multiple fronts. Customers, for example, will want uninterrupted service from all digital storefronts and websites. Organizational leaders, on the other hand, will each have their own priorities based on how digital technology impacts their job area.
Professionals entering an organization in a cybersecurity role can perform a stakeholder analysis to ensure that their cybersecurity strategy can address the goals and priorities of the various company heads.
Example roles and concerns to address can be found in the table below.
Role | Primary Job Concern | Primary Security Concerns | Cybersecurity Requirements |
CFO | Achieve desired business results | Customer relationships, revenue-generating services | Protect customer data, prevent service disruptions |
CIO | Maintain functionality of crucial tech assets | Performance, uptime, availability | Protect vulnerable assets while minimizing downtime |
Development Leaders & IT (DevOps) | Release and maintain quality digital products | Avoiding incidents that affect release velocity and require extra work | Minimize impact of security measures on development pipeline; implement rapid restore & recover |
CMO | Maximizing customer value and loyalty | Negative press, mistrust from incidents | Systems and technology capable of fostering consumer trust |
Cybersecurity Is a Journey of Learning and Response
Technology is always evolving, and so are cybersecurity threats. The best practices of yesterday no longer hold the same level of effectiveness today. Worse, today’s top-of-the-line solutions and approaches can be rendered moot by one embarrassing hack.
Accepting risk is never the goal, but at the same time recognize that all risks can never truly be known. For these reasons, cybersecurity should be considered as part of a continuous improvement cycle to always be gathering knowledge, to create a plan based on that knowledge, to put that plan into effect. Once the plan is in action, it should be tested regularly through drills. Cybersecurity and IT personnel should monitor performance data to evaluate the results, repeating the process of revising existing protocols and forming new ones in light of fresh data.
In other words: Plan, Do, Check, Act. These four steps build the basics of a strong cybersecurity foundation that never rests on its laurels. It also holds similarities to the ITSM continual service improvement (CSI) cycle, where the main goal is to constantly find ways to improve performance and clearly demonstrate the value the department offers. Such approaches can empower cybersecurity leaders to regularly raise satisfaction in regards to how their efforts are perceived by the organization, by customers, and by the public at large.
Unfortunately, it’s a continual job that’s never truly done. But by being smart about it, and by aligning strategy, planning and action to your current organizational priorities and goals, it can be a job well done.
Read how to implement best practices suggested by NIST and other cybersecurity experts in our ebook: “What You Can Do Today to Make an Impact on Cybersecurity Asset Management“
Emerging organizations can also visit https://www.security4startups.com/ for more information and guidance on setting up their own policy framework.