The need for security in organizations is growing by the minute. Organizations are doubling down and many are starting to ask questions on how to build a proper cyber security program. If you were interested in this type of information, look no further! I will outline two different perspectives needed to build a program and the steps that should be taken for both a Business and Technological point of view (separate post).
Whether you are a small business, a start-up, political or a already established organization, the question “Where do I begin with a cyber-security program?” is a frequently asked one. A good cyber security program will involve a lot of technology, but more importantly will help an organization achieve its goals. It would be able to ultimate align those technologies with the business. Ultimately, the first place to start is to identify what type of organization you are. The following steps are processes that organizations should then use to start the implementation of a general cyber security program:
Step 1: Identify the Assets of the organization (Business POV)
You have to start at the bare basics and understand the useful or valuable thing, person or quality the business has to offer. If you are a dictionary wizard you would figure out that that is called the asset.
You have to be able to identify what is most valuable to the organization and where it is stored in the computing environment. You have to take a look at the infrastructure that supports it as well. You should inventory: workstations, servers, cell phones, any cloud-based services (Google as an example), applications (Trello as an example), and file shares. The result of this inventory should be a catalog that identifies the business function of each resource, along with the owner. It should make note of all critical information and systems.
Thus, taking one step forward would involve identify which one of these assets are most attractive to attackers in that catalog. Ultimately, you should be able to identify the high value assets and the high value targets.
However, not all attacks will be targeting those high value target assets. Sometime attackers will go after low hanging fruit, such as email address, that can be profitable for their business. Therefore, make sure you identify all types of assets in your organization
Recap: Create a catalog of infrastructure around the assets of the organization, identifying owners and business function while making note of highly targeted asset.
Step 2. Assess the potential Risk with the organization, as they vary from one to another. (Business POV)
You have to assess the type associated risk that are tied to your organization and accrued assets. Risk identification involves considering which attacks and how those attacks will affect the organizations business objectives and assets. It it is possible, quantify these attacks. What would be the revenue lost if those assets were compromised? What will happen to compliance? What fines would be incurred, etc.
This is the base in which your cyber security program will be built from. It will drive your business cases, your budgeting and the way you approach your stakeholders.
Recap: Ask yourself and document/quantify: What attacks are more likely to occur to an organization like mine and to the assets I have? What will happen if they are successful?
Step 3: Get the Leadership to Buy-in (Business POV)
Coming up with the business need and the case is one part of building a cyber security program. The next part is getting enough leadership support to be able to ensure the necessary budget and personnel to implement it. Often overlooked, it is important to get stakeholder buy-in as cyber security should really be looked at as a priority in the organization. Leaders who delve into security early on, instill a top-down approach into the organization that can have wonders on the culture. It is no secret that some of the biggest breaches in the industry are caused by employees and helping them see that their leaders are serious about it will go a long way.
When approaching management about security make sure to define the risks associated with high value assets identified above. Make sure you are able to help them relate from a business perspective. In terms of specific deliverable to create, a threat detection framework will be useful. This framework should identify all the data points you want to have during a cyber security. You should present this framework in comparison to what you already have. The gap that you discover between the two is the risk to your organization. Again, make sure to present this in a language they can understand (business vs tech savvy).
To give you more insight on what I mean about language, Nelson Mandela famously said: “If you talk to a man in a language he understands, that goes to his head. If you talk to him in his language, that goes to his heart.” Being able to speak to your stakeholders in their language and relate it to the things they find important will help you secure the budget and personnel that you need. Some people fail to realize that lack of security can even affect even their home life.
Recap: Create a Threat Detection Model to identify current gap in operations/risk. Use business language and metrics to sell business need and case. Create a top-down approach to create a security focused culture moving forward.
Step 4: Create Security Policies (Business POV)
Before you spend the money on high tech security software and gadgets, you need to create the security behavior across the organization. Moving along with the top-down approach discussed before, creating security polices will help established a security first culture. For starters, these policies should identify who is in charge of making overall security decisions. It should outlined protocols for employee behaviors and how to use computing software, provided application or company assets.
These policies should be enforced strictly. If an application is blocked from the company, it should be blocked from the company network.
Recap: Creating Security policies will help establish the security first culture needed in organizations.