If security professionals were asked to define the anatomy of great cybersecurity, it would likely be significantly different than a few years ago. IT departments are allocating more resources to improve their cybersecurity outlook. This is due in part to the large number of security breaches that have exposed critical data. The developers of the Norton anti-virus software report that of the 3,800 publicly disclosed security breaches reported in the first six months of 2019, a record number of 4.1 billion records were exposed (more than a 50% increase over 2018 for the same time period). There is probably a lot more that are not publicly disclosed. While there isn’t a single “right” way to implement a cybersecurity strategy, there are areas of importance in which you should direct your focus.
Here are three key tale-tale signs of effective cybersecurity:
As a security professional, your ideas about the best cybersecurity strategy for the organization are important to leadership (typically includes the board of directors, executive team, and security officers and managers). The weight that an organization places on cybersecurity begins at the top. This is because the top executives usually have the final authority to approve the cybersecurity budget that is appropriate for an organization’s needs. However, it’s not enough that you have the knowledge and a good picture of your organization’s cybersecurity stance. You must also effectively communicate this information to leadership, often for the purpose of persuading them.
Here are ideas to help you communicate your cybersecurity plan to leadership and obtain their buy-in:
- Focus on providing metrics instead of explaining technical jargon.
- Outline your recommendations. Make sure you provide multiple effective options that vary in cost. Explain the pros and cons of each option.
- Explain how increasing the cybersecurity budget fits in with the organization’s goals. Focus on revenue cost savings, ROI, and customer satisfaction.
- Emphasize any weaknesses that your analysis or an expert’s assessment has uncovered and the potential threats that your organization could become victim to if the weaknesses are not addressed.
- Highlight security breaches of organizations that are similar to yours and the devastating results. If your organization isn’t one of the top organizations that are threatened most often (financial, healthcare, manufacturing, or government), leadership may not worry about security as much. Do your research and point out an organization that is similar to yours that has experienced a devastating breach. For example, if your organization is a gaming company, you could point out the data breach of mobile gaming producer Zynga that resulted in 218 million records of customers (the largest data hack of 2019).
Once you’ve prepared your list of ideas, make sure you also prepare answers to questions that leadership may have. Think of the pros and cons of the ideas you present to them and any other questions that may come up. It’s also a good idea to communicate with other cybersecurity professionals who have successfully obtained leadership buy-in and how they obtained it.
A Comprehensive Cybersecurity Framework
A cybersecurity plan must address the methods of protecting information assets. Since this involves a variety of components, a comprehensive cybersecurity framework is the best choice. When you are considering your framework, you should focus on how you want to handle potential threats. You want a framework that helps you understand your organization’s needs (assessment and analysis), provides components for implementing and managing risk controls and enables you to continually monitor your progress.
When you are considering the cybersecurity framework to implement in your organization, you should also check if there are any regulations specific to your organization or industry. An example is the Healthcare Insurance Portability and Accountability Act (HIPAA) that provides security requirements for healthcare organizations.
To implement a comprehensive cybersecurity framework, you will likely combine multiple systems and controls. Here are five notable cybersecurity structures that are available for organizations:
National Institute of Standards and Technology (NIST) Cybersecurity Framework
This framework was developed specifically for organizations that manage critical systems in the United States but identifies five elements that any organization can use for managing and mitigating their cybersecurity risks. The five elements include Identify, Protect, Detect, Respond, and Recover. NIST provides the framework as downloadable files from their website. They also provide additional resources.
Center for Internet Security (CIS) Controls
These 20 controls are prioritized best practices that CIS has developed to help organizations prevent cyber attacks. The controls are prioritized as basic, foundational, and organizational and are downloadable in their entirety in PDF or Microsoft Excel format. CIS provides information for implementing the 20 controls as well as other cybersecurity resources on their website.
Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC 27001)
This compliance specification, which provides requirements for managing information management systems (IMS), was officially adopted into the International Organization for Standardization (ISO) in 2005 and has been modified over the years to address the advancements in cyber threats. Organizations can choose to simply follow the requirements or request an audit to become ISO 27001 certified. Meeting these requirements can help organizations develop a cybersecurity framework. Companies that meet the rigorous requirements can choose to request an audit to become ISO 27001-certified organizations. This is an added benefit that provides proof to leadership, customers, and partners that a company has met a high standard for cybersecurity and is serious about protecting its information assets.
Federal Deposit Insurance Corporation (FDIC) Cybersecurity Framework
In 2016, the FDIC announced this framework to provide guidance to banking organizations for mitigating cyber risks that are specific to the industry. According to a report by the Keeper Security firm, of the thousands of IT professionals they surveyed, two-thirds of the financial organizations experienced cyber-attacks. This framework identifies four areas of focus to reduce cybersecurity risks: Corporate Governance of Cybersecurity, Threat Intelligence, Security Awareness Training, and Patch-Management Programs.
The FDIC also lists other cybersecurity resources on their website. In January 2020, the FDIC issued the Joint Statement on Heightened Cybersecurity Risk document to “remind supervised financial institutions of sound cybersecurity risk management principles.” The document outlines six areas of focus: Risk Management, Identity, and Access Management, Network Configuration and System Hardening, Employee Training, Security Tools and Monitoring, and Data Protection.
Plan-Do-Check-Act (PCDA) Methodology
Wikipedia defines PCDA as “an iterative four-step management method used in business for the control and continuous improvement of processes and products.” It was part of the ISO 27001 compliance standard for many years and has been incorporated in a variety of other cybersecurity frameworks. Organizations can use this system to improve their security implementation by using four steps: Plan, Do, Check, and Act.
Security awareness refers to the ability to identify a potential threat and take appropriate action to alleviate it. An effective cybersecurity strategy would be incomplete without a plan for establishing awareness in employees. According to a study by the information security firm Shred-It, employee negligence poses the greatest information security risk to organizations. If employees in the organization do not understand security risks and make bad choices, leadership buy-in, and implementing a comprehensive cybersecurity framework will have a limited effect. Creating an environment characterized by employees having security awareness involves providing employees the information they need to understand the cybersecurity landscape and educating them on the behavior that is best in that landscape.
The following are the ways your organization can increase security awareness:
- Develop a training program that identifies the types of cybersecurity threats and provides best practices for preventing security issues (recommended behavior when using email, social media, and company assets). The training should be mandatory for all employees and should be repeated and updated on a regular basis.
- Make security policies (part of your cybersecurity framework) easily accessible by employees. Adding hardcopies to new hire packages is a good idea.
- Send regular reminder notifications about cybersecurity best practices via email and text messages.
- Hang up posters and security reminders in common areas of the organization.
- Incentivize good employee behavior. For example, reward an employee that comes across a potential phishing email and performs the steps outlined in the training manual or security policy.
Developing and implementing an effective cybersecurity strategy can be a daunting task. Not only does it require resources, but it also requires an understanding of your organization’s needs in relation to the current cybersecurity environment. Developing an effective cybersecurity strategy shouldn’t be a singleton task. Engage your security team and other members of the organizations to perform specific tasks. If you decide to reach out to a security firm for assistance, choose one that is experienced in all facets of cybersecurity.
BACS specializes in providing a full spectrum of IT services to companies of all sizes. They can help you assess your security requirements and develop the most effective strategy to mitigate your organization’s security risks.