by David Wren
Creating a cyber security program is no easy task. Doing so involves implementing a well-documented and comprehensive plan. Requirements established for an organization’s cyber program come with a great deal of risk that should be handled carefully. Inexperienced or ill-advised cyber programs leave your organization open to attack, compromise, and financial hardship if not followed correctly during a cyber incident. Avoid these troubles by ensuring you have the best possible insight and knowledge about the requirements of a competent cyber security program.
First, we need to take a high-level view of the environment. Understanding your organization’s business -- and how that business should alter security planning -- is key. The program should be custom tailored for your environment and not just downloaded from the internet or borrowed from another entity. A cookie cutter or one-size-fits-all approach can leave gaps in your security posture. The types of data that you capture and store should dictate your approach to developing the program. For example, health and financial data are heavily regulated, with penalties for violating regulations. Most companies store some forms of this data, for example in employee records, payroll, accounts receivable, and accounts payable. We must take special care with identifying such data, knowing where it is stored, and understanding how it is being accessed. Knowing your environment and workflows are critical in the planning process.
How secure should your environment be? Once you understand the nature of your data and pertinent regulations, you can start planning for the level of security that is required. Convenience and security must always be balanced with level of acceptable risk. If accessing your data is too convenient, a malicious actor will find it easy to exploit and share to the world, resulting in potential loss of business or even closure. Conversely, if your data is secured so well that productivity is severely hampered, then users may loathe the process, focus less on personal cyber hygiene, and attempt to circumvent safeguards by any means.
Once you understand your environment and how secure it needs to be, it’s time to define organizational targets. How mature your environment’s security is can help to benchmark progress. Maturity benchmarks are necessary to showcase your efforts and keep the plan moving forward. Much leg work has already been done by framework organizations. These organizations study IT environments and threat landscapes to create checklists that ensure nothing is overlooked or forgotten. Using frameworks such as NIST 800-53 R5, CMMC, ISO 27001-27002 and COBIT can greatly simplify and streamline your cyber security program. These frameworks are built on a solid understanding of industry best practices. If you are not operating in a regulated business or industry, using one of these frameworks is a great way to develop your program.
Knowing your environment and having a clear framework of goals are important for growing your cyber program. So is developing a multi-year plan. Such a plan allows your organization to better prepare for the future and recognize where pit falls may exist. At this stage, you can create a timeline to establish maturity benchmarks and next steps across time. While your cyber program grows, consider business ramifications of decisions. How will this program interface with other components of the business? If loss of functionality or access is too great, then long term effects could hamper implementation of the cyber program.
Once the plan is in place, define the policies and standards to be adopted by IT staff and users. What’s considered “acceptable” in your environment has legal and enforcement implications. Clear communication about your security policy is essential for maintaining a compliant environment.
Additionally, determine what’s acceptable from a management perspective with monitoring and enforcement in place. How should funding be allocated? How should security and workplace culture interact? How should the program be leveraged when ambiguity arises? Operational policies keep everyday interactions between systems and people well defined. Technical policies and standards are especially important to define well because they are paramount to your environment’s security. Mis-configured systems can present massive security risks and leave doors open for bad actors to exploit. Having a clearly defined policy can be the difference between a chaotic, vulnerable environment and a stable, secure one.
Once standards and policies have been defined and adopted for the environment, implementing these standards and policies can be accomplished through procedures. This is the point at which your IT staff and executive sponsor will begin changing and improving IT assets to adapt the environment to your cyber security program’s vision. Strategy, goals, and planning have led to this point of action. Defining procedures will initialize action in your organization.
Creating a cyber security program can be exciting and overwhelming. No one individual can effectively plan, create, and implement a program alone. Teamwork and cooperation will always be necessary for such an undertaking. At Network Technology Partners (NTP), we have extensive expertise in cyber security and the threat landscape against which your program will be defending.
I would like to thank Hunter Williamson for his assistance in researching and developing this article.
David Wren, CISM is President of Network Technology Partners, a regional Cyber Security Intelligence firm headquartered in St. Louis, MO. He can be reached at email@example.com.