Cybersecurity Strategy- Do You Have One?
1 November 2017 | 10:39 am
Do you have a security strategy? I don’t mean locks and guards, I am asking if you have a cyber security strategy. Until recently there has been no shortage of frameworks for best cybersecurity practice and more regulations than most organizations know what to do with. But even with all of that, there have been minimal requirements to have a security program and even less enforcement on the issue.
That is, until now. The New York Department of Financial Services (DFS) has established their Cyber Security Requirements for Financial Companies (23 NYCRR 500 ). The new DFS regulation holds an institution’s senior leadership accountable by requiring an annual compliance certificate signed by a senior officer or board member. This is the first state legislation of its kind and I am sure with all the breaches we continue to see that it will not be the last, whether or not you live in New York.
One of the big differentiators in 23 NYCRR is the requirement for covered entities to develop a Cybersecurity Program. Other regulations require risk assessments and information security policies, but I am not familiar with any that have specifically require a cybersecurity program.
You can think of your cybersecurity program as your security strategy, which is important for the same reasons a business plan, a map, or an architectural blueprint is important. Without any of these you don’t know where you are going or how you are going to get there.
I’m here to let you in on a little secret. It’s not that a security strategy is difficult to create, it’s just that you, the organizational executive has never had to create one before. Everyone you talk to about cyber keeps throwing acronyms and technical terms around that you don’t understand and that has kept you largely at arms length from this topic. Because I don’t think you should be responsible for becoming a security expert I want to break down the mystery of a security strategy so that you can see it is doable and necessary.
Policies and Procedures
It all starts with policies and procedures. You already have these for so many areas of your business, it’s a matter of adding those applicable to security and then training your employees and continuing to make them aware. ComputerWeekly reported that a recent survey conducted at Black Hat Security Conference in Las Vegas revealed that 84% of respondents whose company has suffered a cyber attack attribute it, at least in part, to human error. Policies and procedures could have helped stop a large number of those. Sometimes people just don’t know what to do and with a lack of guidance will do what they think is best.
You have to know what your risks are to know what to protect and how to protect it and you do this through a risk assessment. This is required in every best practice framework and regulation I have ever seen.
A risk assessment asks a lot of questions to identify risks, severity, and likelihood. Questions like: What sensitive data do we have, How is the data transmitted and stored? What systems are used to host the data,? How are those systems accessible inside and outside your network? Do those systems have all critical security patches applied? Who are your third parties that access your data? How well are you employees and vendors trained? Who are your adversaries?
Most of this can be assessed through interviews with the people who interact with the data or manage your systems and through automated tools like vulnerability scanners. There is also a professional service called penetration testing where ethical hackers mimic what malicious hackers would do so that you truly understand your security posture and risks from the outside and inside of your network.
Prioritize prioritize prioritize, this will become your new mantra. Once you have completed your risk assessment you will be left with a list of low, medium, high, and critical items to remediate and manage. That can be overwhelming and you can’t fix it all at once so don’t try; the answer is the same whether you are trying to remediate your vulnerabilities or eat an elephant – one bite at a time. It’s a matter of understanding what the highest risks are, the easiest to fix first and those that are less important or more long term to solve for. This is where your security team and security executive is there to help. If you don’t have this team or person in place to run security then you bring in a third party to help with remediation and retesting.
Food for thought – The same ComputerWorld article said “Nearly 55% of more than 130 attendees of the 2017 Black Hat security conference in Las Vegas admitted their organizations had been hit by cyber attacks.” The reason I say that is very common to hear “it won’t happen to me.” Risk management is how you help ensure that it won’t happen to you.
Continuous monitoring, regular control testing, and at least annual risk assessments is how you keep this going. It is not a one and done project. This becomes an operational part of your business just like keeping the lights on. Whether it’s your internal team or third party consultants that help you achieve this, it must become part of your daily culture of security.
This includes implementing and maintaining technologies that can prevent a cybersecurity event and the processes and technologies for detecting cybersecurity events, responding to events and mitigating risks, and recovery from events.
If you are still wondering “how will I accomplish all this?”, don’t worry I understand that is a real question and concern. In my next article in this series I will discuss resources with you and the how you will do this. I want to make this as simple as possible because your organization, people, and customers need to be protected from malicious individuals and from costly errors. Please note I said simple, not easy; with the right people creating the strategy is simple, but it will take time and resources along with a culture of security to make it happen.
If you don’t want to wait for the next article email email@example.com to start discussing the resource or strategy questions you have now. Sharon provides virtual Chief Information Security Officer (vCISO) services, consults with clients on security strategies, writes policies, and helps organizations of all sizes become and maintain secure and compliant.