5 steps to build Robust Cyber Security Strategy

Building a cybersecurity strategy for any organization takes effort. This article will help the audience with building blocks and few tips to start building a robust cyber security strategy. This article is for anyone (CISO, Security Program Managers or Cyber Security analysts) who wants to understand where to start and support the actions required to build a robust cyber security strategy. This article will provide immediate and effective Cyber Defence techniques.

1. Know your Business

It is important to understand why an organization is investing in cyber security.

If it is not clear, it would be worthwhile to spend time in thinking about it. In general, Cyber Security Strategy is required to protect your organizational assets and its people from cyber threats so that organisational mission can be achieved. Therefore, it is imperative to understand what are the business processes and requirements which will need protection. Analysing business strategy is a must. Furthermore, understand what does executive team values the most. Because when it comes to prioritization, it would be easier to make choices according to the values set by executives team. Depending upon industry, size and risk appetite, required measures and controls and their required maturity will differ.

2. Understand your Threat Landscape

Once the business goals are clear, it is time to understand what is it that needs protection and prioritizing them.

Refer to annual report to understand the priorities. Identify compliance regulations applicable for the organization. Identify your assets. Working on the asset management can take some time. However, at this stage identify (on a very high level) the categories of hardware, software, technology landscape used within the organization. Identify what threat actors and vectors are applicable based on knowledge sharing from other companies, incidents faced by organization in the past and lessons learned. Furthermore threat vectors can be easily identified based on the industry, business processes etc. Vectors such as emails are often exploited. For retail industry securing POS terminal would be a priority. Another example would be legacy PLC networks if you are a manufacturing industry.

3. Select a Cyber Security Framework & Perform Gap Analysis

Know where you stand and what needs improvement.

Once you know business strategy and what needs to be protected, it is time to understand your cyber security maturity. Because unless you know where you stand, you cannot build a roadmap.

One of the best ways to do this is to choose a cyber security framework. A Cyber Security framework is a set of guidelines to empower organizations to describe current cyber security posture, describe the target state, identify and prioritize opportunities to improve in continuous and repeatable manner, assess progress, and create required communication for stakeholders.

There are many options based on the industry & sector from which organizations can choose from. NIST Cyber Security Framework (NIST CSF) is most chosen one. This framework is detailed and focuses on the business drivers to guide cyber security activities. This is regardless of the size, maturity and industry.

Gap Analysis

Gap analysis can be conducted in many ways. It can include a simple questionnaire but can be also conducted in depth such as technical testing, reviews and auditing to validate the claims. The identified gaps in terms of people, process and technology should be documented (usually a risk register). Furthermore, build a risk matrix to prioritize these gaps using impact and likelihood measures. This will help prioritize in the next steps.

4. Gain Executive buy-in

Support from C-level is important. It is important to understand their expectations and revise the strategy based on the discussion outcomes. Provide them with the context and create awareness for them so that they can support you in building and implementing the right strategy.

Ensure to keep the executives in the loop. Based on the discussions, make amendments in the process and plans. At times, a bit of awareness and education is also required so that you can help executives make the right choice. To help them make informed decisions, take the help of the chosen framework. As required, refer other framework and attacker techniques (such as MITRE ATT@CK framework) to support the choices being made through out building the security strategy. Always be prepared to have a discussion on the cost requirements and Return of the Investment (ROI). Often it is not easier to prove ROI but following tips will help.

• The discussion should not be about investing in the technology but on the vision.
• Build a business case based on the stakeholder’s interests. For example, if a stakeholder wants to reduce run cost, then help them understand how using the right process and technology can help achieve cost reduction. Use organizational business strategy as a starting point.
• Make use of quick wins observed in the organization or outside. Such as how vulnerability scanning can help (is helping) reduce the risks.
• Prepare options based on the costs and what this entails in terms of usage of technology and investment required from ‘people’ point of view and how this will affect the organizational processes.
• Measure success with the help of frameworks, security reviews and technical assessments such as penetration testing.

5. Determine the Plan to Improve

Once you have covered the ground from business strategy point of view; identified what needs a protection and where you need to improve and aligned the high-level goals with stakeholders, it is time to prepare the detailed plan. In the chapter, you will find some tips / focus areas to start.

• Build strong security team.
• Provide training to not only security teams but also to non-IT teams.
• Build and maintain appropriate security awareness program.
• Create supporting governance.
• Pay attention to third party security.
• Review compliance strategy.
• Build disaster recovery plan.
• Invest in continuous monitoring.
• Establish and improve proper Asset management.
• Identify Threats & Vulnerabilities and assess risks.
• Invest in Network controls and network device life cycle management.
• Build Identity & Access Management process.

Security teams

Effectiveness of cyber security related work depends on the knowledge of the individuals applying it.

A skilled cyber security team will help to reduce time required to detect and resolve cyber security risks. The required skills can be obtained by either training your people or hiring the right people. Depending upon the organizational strategy, a service provider can also be hired. One should ensure that they understand the business processes and meets the compliance requirements. An option of hybrid ways of working is also being utilized by many organizations where small number of people with right skills are hired (or train your people with right skills) so that they are capable to ensure that the right services & support is obtained by MSSP (Managed Security Service Provider).

Depending upon size of the organization multiple security teams might needs to be built as well. While building a security organization, consider the central and local business requirements and their ways of working.

Training

Security training plays an important role. Training should be available not only for security teams but also for other teams such as IT teams, business users as well as remote workers and non-IT staff. At times appropriate training should also be provided to customers and suppliers as well. As keeping the organizations secure is the responsivity of everyone.

Security team should be able to detect potential security vulnerabilities quickly, identify important information from security incidents and build plans to recover from the incidents.

Security awareness program

Build a security awareness program. A security awareness should not be a compliance requirement but should be made part of the culture. This is also not a one-off step. This is something needs to be built and adapted based on the changing technology usage and threats.

Start with the management team and individual managers where they are encouraged to attend security conferences exposing them to wider security community. Security awareness should not be limited to office hours. People must understand the importance of practising good cyber security hygiene and ramification of poor security practices. Personnel should be trained creating strong passwords, identifying phishing emails, social engineering attacks and what information can and cannot leave the confines of the company.

A security behaviour should be encouraged and rewarded. Few ways to do this is gamifying the training, recognizing personnel for their work in a project or even in security incident.

Governance

Define roles and responsibilities which will support processes and technology. These roles and responsibilities should be clear, documented and well known throughout the organization.

A good top-down communication is key to proper risk management across the company. Good communication and efficient knowledge sharing among different teams and with suppliers is very important when it comes to resolving a security incident. Finally, people should be able to trust each other.

Involve legal teams to understand the legal and regulatory requirements from IT systems and people using it. Create appropriate changes in organizational policies and procedures accordingly.

Third Party Security

Think about ways to identify and monitor third parties and their involvement in your organization. Their access and compliance should be regularly verified. Perform security reviews and tests as per the agreements with them. If this is not allowed, add this in the risk register and consider making appropriate changes in the contracts in the near future.

Often identifying third parties is difficult. If that is the case, start with the basics such as identify the third parties by interviewing the teams, monitoring the network, reviewing the firewall logs & VPN configurations etc.

Compliance strategy

Review what regulations are applicable to your organization. Stay up to date with new standards and regulatory compliance requirements to avoid heavy and unnecessary fines.

Disaster recovery plan

A good disaster recovery plan enables efficient recovery of critical systems and helps organization minimize damages during and after disaster.

Continuous monitoring and maintenance

Organizations are facing growing number of threats every day. Understanding & responding to zero-day vulnerabilities has become extremely critical. Therefore, it is extremely important to be able to monitor the environment for legacy systems, default (or poor) configurations and rogue devices. Prioritize building an efficient security monitoring and detection and response capabilities.

If security incidents happen resulting loss of data, a strong back-up capability will help minimize loss.

It is also necessary to monitor for risky behaviours before they become breaches.

Asset management

You cannot protect what you don’t know exists.

It is immensely important to perform asset management. Knowing your assets (hardware and software) especially the most important ones allow to configure required security measures around those valuable assets.

You can start with documenting the hardware, software, applications, databases and other components such as network devices. Add up the attributes required to understand more about them and apply required protection strategy. Depending upon the size and regulatory requirements this process can be based on simple registers in the form of Excel files, web-based applications or dedicated asset management systems. But start with something small which provides immediate benefits instead of only investing in expensive projects without understanding the value of it. It is important to simplify and maintain.

Identify threats & vulnerabilities

Identify threats & vulnerabilities and assess potential risks for your organizations.

As discussed earlier, one will need a sophisticated threat management programs based on the size and risk appetite of an organization. Identification of critical threats applicable for your organization should not be very difficult. And again, this will be just a beginning but an important one instead of planning a bigger program. Take help from MITRE ATT@CK framework to prioritize as necessary. Build alerts and rules to detect them in the organization. Review the compliance control-set to see what the gaps are and improve the control-set as well as build the appropriate log source requirements so that right data is available to analyse the network for threats.

Build a Vulnerability Management program. With this program one will be able to continuously assess the environment for vulnerabilities and fix them before the threat actors exploit them.

Network Controls

Create a network security plan to secure your organizational perimeter & cloud infrastructure. Review firewall rules, focus on continuously updating IPS and IDS and if necessary, change & implement the right maintenance contracts. Furthermore, implement NAC (Network Access Control) so that an attacker is not able to just walk in, and connect to the corporate network. Furthermore, explore and invest in the network isolation techniques such as zero knowledge protocols, micro segmentation techniques.

IAM

Implement a robust joiner, mover, leaver process. Implement strict roles-based access control and implement a continuous recertification program so that access reviews are performed. Furthermore, discuss the hire and retire process with legal and HR and ensure that right background checks are in place before an employee is hired.

Conclusion

Building a Cyber Security Strategy is a challenging process. Based on the changing business strategy, technological advancements, ever growing threats, incidents and other challenges such as pandemic which forces one to change business strategy and ways of working, one needs to adapt to such changing requirements and revise the cyber security strategy accordingly. Agility in cyber security is increasingly important. It is important to revise the strategy and continuously assess the progress being made. One cannot afford to think for 6 months and implement a 5-year program anymore.

Finally measure the performance using internal and external reviews & audits. Plan security testing such as penetration testing, security reviews, red-blue teaming exercises, social engineering and phishing campaigns to measure the security maturity, progress & response capabilities.

If you would like to know more about designing, implementing the Cyber Security strategy or simply need help with specific programs or tips, please reach out to me at Sukalp.Bhople@Cyber-Resolve.com or give me a call (+31 (0) 6 8207 8243).

For more information, please visit https://Cyber-Resolve.com