Your organization has identified that it is important to have a cyber security strategy. You want to address cyber security within your organization. But where do you start?
The task of putting together a cyber security strategy can be daunting. The larger your organization gets, this task may even approach monolithic proportions in your mind.
Here are some things to consider when you start to formulate your plans!
Cyber Security is Everything
Here at Horangi, we take a holistic approach to cyber security.
We believe cyber security touches every part of an organization and how it functions. Given this, we avoid making myopic, targeted decisions. We are not driven by immediate concerns, when it comes to designing and prioritizing solutions. Each solution is prioritized with the entire system and infrastructure in mind, integrating concerns over organizational goals, budgeting, and business need. This is not to say that emergencies mean nothing to your cyber security strategy. It just means that when a seemingly immediate need arises, it is weighed against the existing items in the current strategy.
A Risk-based Approach
When deploying cyber security solutions across your organization, the overarching metric for effectiveness should always be risk.
How do threats against your organization affect the overall risk to your organization? How do the countermeasures minimize or remove that risk?
Developing a thorough understanding of how to measure risk within your organization is key to designing effective countermeasures against cyber threats.
What Are You Protecting?
So now, you know that cyber security is everything and you know that a risk-based approach is best. Now what?
The first question to ask your organization is "What are we protecting?"
What are your critical business processes? These are processes that would cause your organization devastating losses, should they ever fail.
What are your critical systems? The loss of availability to these systems would likewise present a devastating loss.
When considering these assets, it is also important to come up with a system for measuring how critical these systems or processes are. This will help you prioritize the order in which to deploy security solutions.
Once you have considered the assets that you wish to protect, you must consider what aspects of those assets you are protecting.
Information security states that there are three aspects to every information asset that you would ever protect. This is represented by the CIA Triad.
- Confidentiality - Protecting confidentiality is ensuring that only the appropriate personnel have access to information
- Integrity - Protecting integrity is ensuring that information is always accurate and has only been changed by appropriate personnel
- Availability - protecting availability is ensuring that information can always be accessed by appropriate personnel when it is needed
Protecting an asset can mean protecting one, two, or all three of these aspects for that information asset.
People, Process, Technology
When deploying cyber security solutions and countermeasures, it is important to note that they can come as people, process, or technology.
As an example, protecting passwords can be done using any of these types of solutions. A password manager can be assigned to be in charge of the protection and administration of user passwords. In turn, a password policy can be made and enforced to require users to safeguard passwords, create a minimum length and complexity to those passwords, and change them on a regular basis. Even more so, a password management software can be deployed to protect the passwords, give users access to their passwords, enforce a password policy, and audit changes.
In this example, if you deploy the technology, it can enforce the process, and be managed by a person. Hence, it is all three types of solutions in one.
Depending on budget and resources, you may choose to deploy one, two, or all three types of solutions for a specific cyber security problem.
The effectiveness of each security control you deploy can be enhanced by the maturity in which you deploy it. What does this mean? It means that how you deploy your security controls is just as important as what security controls you are deploying.
The CMMI (Capability Maturity Model Integration) Institute describes the characteristics of maturity as such:
- Initial: Countermeasures are unpredictable, poorly controlled, and reactive
- Managed: Countermeasures are assigned to specific projects or departments and are still widely reactive
- Defined: Countermeasure are designed on the enterprise level and are more proactive
- Quantitatively Managed: Countermeasures are controlled and measured for effectiveness
- Optimizing: The organization is using the collected metrics to continuously improve the countermeasures
Being able to characterize each of your controls according to this maturity model can help identify places in which to improve and even identify quick wins and low-cost, high-yield changes to make to your strategy.
As lofty as your aspirations may get for this cyber security strategy, you will always have to face financial realities. Considering your budget does not have to be an exercise in disappointment. It is easy to want to spend a giant chunk of budget on a shiny new technology, when sometimes, it may be more prudent to split up that lump sum into smaller amounts that pay for several separate solutions that solve many different problems.
Adversely, frugal spending on many smaller, cheaper solutions may not be as effective as the one-time big ticket item.
Much consideration must go into budgeting and prioritizing of spending and ultimately, it will either make you friends or enemies in circles where the bottom line is king.
As you can see, designing and implementing a highly effective cyber security strategy is not child’s play. It is by no means easy or simple. Many opt to use guidelines such as ISO 27001 and NIST 800-53 to help them put strategies together only to find out that they have barely scratched the surface of what a world-class cyber strategy can be.
Cyber security is not a state. Cyber security is a process. This process involves continuous assessment, planning, implementation, and improvement. As the world and its threats evolve, so must your strategy.
If you would like to learn more about how these strategies are put together, contact Horangi Cyber Security and speak to one of our experts!