There is no denying that the importance of cyber security has bubbled to the surface within the minds of most company leaders. With frequent headlines about breaches and the fact that cyber-attacks are increasing every year, companies are concerned about the growing threat. Organizational leaders have tasked their IT leaders with the daunting responsibility of ensuring that the environment and data is protected. As a former IT Manager, I can state firsthand that the approach was to simply implement traditional security controls (i.e. firewall, end-point protection, physical and logical permission, etc.). But we all know that the threat landscape has evolved, and the implementation of point solutions is no longer sufficient.
The Source 44 team has been helping organizations address their cyber security risks for 10 years. We have noticed a gradual shift in mentality as organizations have begun to get serious about implementing a security practice. Unfortunately, we also see that many of them are approaching this incorrectly.
So, how do you build a cyber security practice? Obviously, there is no set template to do this. There are many variables which drive the approach and direction. For example, size and complexity of the organization is a key factor. It is unrealistic for a small company to build their practice to emulate a large company who has a more complex structure and more resources available.
The cyber security team should NOT report to the IT department. Yes, I said it. While security individuals are IT savvy (many come from an IT background) and the teams work closely, there must be separation between the departments. IT responsibilities differ greatly from cyber security. IT is generally responsible for providing reliable and functional systems to the business; while the cyber security team is responsible for ensuring that the systems and data are protected. The focus of the cyber security team should be on threat hunting and providing IT oversight to ensure that security tools and practices are implemented. Depending on the size of the organization, the cyber security team should fall under a Risk Management or Compliance department. This structure provides separation of duties and ensures that budget is specifically allocated for cyber security. Of course, if your company is small, this will not apply, and IT will naturally inherit cyber security. In this case, ensure to have a separate cyber security budget that is not impacted by IT requirements or activities.
A good cyber security practice must have an owner. Cyber security extends beyond technology to policies and procedures. An organization cannot simply hire a Security Analyst and expect that person to oversee and execute the practice. An analyst is generally required to perform day-to-day tasks (i.e. manage the tools, threat hunt, continuous scanning, etc.). Ultimately, a Senior Cyber Security Manager/Director should be responsible for creating, implementing and maintaining the overall cyber security practice.
Understand the organization’s current cyber security maturity. As with any other department, it is essential to determine ‘where you are', before mapping out 'where you want to go’. Seems straight forward, but quite often organizations address their unsubstantiated ‘needs’ based the latest technology hype or trends. Engage with an unbiased security expert (such as Source 44) and complete a gap analysis based on industry best practices. The exercise will identify risks and help the organization create a plan. We all know that senior leaders and boards like to know that there is a plan.
Adopt a cyber security framework to build your practice on. The Center for Internet Security (CIS), The National Institute of Standards and Technology (NIST) and ISO 27001 are among the most well-known and mature cyber security frameworks for practices and standards.
- NIST Special Publication 800-53, Revision 5 proposes a catalog of 20 different privacy and security control groups to help U.S. federal agencies and organizations better manage their risk.
- The 20 CIS Critical Security Controls are independent of industry type and geography and provide a priority-based and rather technical approach for immediate, high-impact results.
- The ISO 27001 standard is a less technical, more risk management-based approach that provides best practice recommendations for companies of all types and sizes in six defined phases. (1)
There can be many factors which determine which framework to adopt (i.e. company size, location, are you already an ISO organization, etc.). It is essential that research is completed before a decision is made. However, for those companies at the beginning of their cyber security journey, I recommend starting with the CIS20. It is the least complex and a good starting point for sound practices.
Cyber security tools are expensive. While this may be somewhat true, I urge you to consider the cost of losing client data and ultimately their confidence. A mature cyber security practice is not simply about implementing tools to mitigate risk. While deploying the ‘right tools’ are very important, equally important is the creation of sound policies and procedures. Every company should have a documented and tested disaster recovery (DR) plan and cyber security incident response plan. Every company should clearly define device standards, a password policy and company asset usage. A cyber security gap analysis will provide information around missing policies and procedures.
Training your employees. Employee awareness training with social engineering exercises is no longer an optional activity. Another reality is that employees are the target of phishing and spear-phishing campaigns. Even with all the best of breed cyber security tools in place, we cannot stop employees from clicking on that URL or attachment. While the tools do help reduce the opportunity to receive or visit areas with malicious content, an uninformed person is the weakest link in the defenses. Train your employees on hire and ongoing through-out the year. Remind them about the risks and test them with social engineering exercises (i.e. Phishing campaigns) to determine training effectiveness.
Why do we need the latest and greatest technology? In the world of cyber security, the latest technology has been designed around evolving attack methods. There is a continuous flow of new technology to address newly identified risks and improvements on traditional technology to better fight the battle. The term ‘next-gen’ is being connected to many traditional cyber security technologies to demonstrate advancement in the area (and possibly as a marketing scheme). Today’s latest technology is using artificial intelligence and machine learning, among other tools, to help resource strapped department. The systems are far more intelligent at detecting anomalies and indicators of attack (IOA) in order to provide zero-day protection.
This article was meant to provide some high-level concepts which should be considered by all organizations building or trying to improve their cyber security practice. By no means is this a complete list or a step-by-step guide. It is simply meant to invoke some thought and/or discussion.