Starting with strategy – A multi-part series on building a robust cybersecurity program

Introduction

Today, many organizations look at information security and governance as a baker would icing on a cake. Something you apply at the very end, mostly to make it look better and add a bit of flavor. It isn’t a structural component or key ingredient, its simply there to cover up the raw product. As can be expected, icing cannot save a cake that’s missing key ingredients like sugar, or eggs. Likewise, if a business doesn’t integrate security into operations from the beginning there is only so much that can be done to implement necessary controls.

Using this approach, organizations only achieve a thin veneer of security, lacking the protection provided by a more layered approach. There is only so much security that can be added after the fact. Thankfully this is not the only approach available. Organizations must be cognizant of all available strategic opportunities if they hope to be successful. With careful planning and understanding security can become not only more effective, but also more supportive. This is where strategy comes into play.

In a perfect world, as businesses develop their business strategy cybersecurity would be included and layered throughout from the start. This would provide the most robust, effective, and easily integrated security program, and one that actually complemented both the business and its long-term goals.

Why strategy matters

Put simply, strategy is the process of understanding where you are today and where you want to go. This includes knowing your industry, regulations, and the business itself. Once you identify your current state you will have a clearer picture of what risks you face and what their priority should be. As outlined above, cybersecurity can and should be used as tool to support and improve business operations.

The steps listed below underscore this point and the provided explanations help understand how and when to use them:

• Framework selection
• Risk assessment
• Business impact analysis

Framework selection

Selecting a framework should be one of the first steps taken when developing a cybersecurity strategy. The framework will identify what requirements the organization needs to meet, what is needed to meet them, and even outlines how to process the information collected in the later stages. Frameworks provide varying amounts and levels of controls depending on which you select. While each differs in style and focus, the underlying components remain fairly consistent.

There are numerous frameworks available, and no 'right' answer for which is best. Some popular frameworks include the NIST Cybersecurity Framework (CSF), ISO 27001, and ISACA’s Control Objectives for Information Technology (COBIT). Depending on the industry some regulatory requirements may influence what you use. For example, if your business takes a lot of credit card payments using the PCI framework will not only meet your security needs but is also required. While all frameworks cover similar topics, it’s important to select the one that fits best with your requirements and needs.

It’s important to make sure that the framework aligns with your business, industry, and goals. If you are looking to start a cybersecurity program from scratch it would be better to start with the CSF over ISO 27001 since ISO has much stricter requirements that would likely overwhelm a new program. For larger, or more mature organizations ISO may be the perfect fit. Along with the size and maturity of your cybersecurity team, relevant regulatory requirements should also be used to help select an appropriate framework.

Risk Assessment

Once a framework is selected a general risk assessment should be conducted. A risk assessment is essentially a comparison against the desired state (the framework) and the current state. Risks can take a variety of forms and can target a variety of areas within the organization. In this case the focus of the assessment should be on business-critical systems and operations, along with any additional components that may be covered by the given framework.

Risk assessments can include interviews, process reviews, vulnerability scans, or whatever else may be necessary to gauge risk based on the given framework and requirements. At a minimum these reviews should include all the necessary individuals and systems required to gather the information needed to fulfill the control requirements of the given framework.  Information gathering may take the form of interviews, documentation reviews, system checks or audits.

While assessments normally set the roadmap for the organization, but they also provide checkpoints as well. These assessments should be repeated throughout the implementation of the framework to confirm appropriate progress is being made and that no changes to the business, systems, or operations have occurred.

Business impact analysis

While similar to a risk assessment, a business impact analysis is targeted to specific departments or business groups that make up the profit-making aspects of an organization. Business impact analysis (BIA)s are a function of business continuity. They exist to help prevent interruptions and loss of business from occurring, and to reduce the damage from those that do. Some parts are obvious, such what line of business you are in, and others require careful investigation and review.

BIAs need to cover any potential impact to the given operation being reviewed. Topics for review can include impact to or loss of: suppliers of key materials, providers of key services, or anything else that may potentially impact the revenue or operations of the given department organization, or group. Obviously not all of these can be judged quantitively and will need qualitative analysis as well to really capture the full scope.

It’s important to understand that this review needs to include the internal groups that support the departments, such as HR and IT. These groups, along with other non-profit generating tasks, require as much review and understanding as those that bring in funds.

Building a strategy

Once the above steps are complete, you now have the information needed to create a strategy tied to key, trackable requirements and metrics. The first step is to put the information gathered from your risk and business impact assessments and rank any identified gaps (normally referred to as a risk registry) in order of severity, cost, and potential for exploitation (other methods for ranking are available, but these are the most common). This list should be created with input from both management teams and department leads to ensure the full scope of risk is understood.

Understanding your risk profile allows for a targeted plan that will provide substantive results while ensuring resources are used in a logical and prioritized manner. With the list in hand, progress can be tracked and assessed, allowing the team to stay on track and identify roadblocks as they occur. Any risks that cannot be remediated, or will not be remediated for the time being, can be tracked as well until they can be completed.

This risk register should form the foundation of the strategy, as these are the defined pieces that separate the current state from the desired (framework) state.  The register will hold both technical and non-technical risks, some requiring software solutions, other changes in operations as appropriate.

Key takeaways

Creating or maturing a security program is a serious undertaking that requires careful planning, investment, and commitment to appropriately execute. Following the steps outlined above will go a long way in easing either process, however. When executing this guidance, it is vital that focus is placed in creating a diverse and well-rounded team that can effectively advise the creation and application of security practices to current business operations.

There are several parts behind creating an effective security strategy and each much be carried out to truly build an effective program. These foundational components are usually some of the least considered components, since most organizations prioritize action (or perceived action) over detailed planning. This mindset has led to many malformed and half-implemented programs, projects, and initiatives across numerous organizations and industries. Poorly applied security is almost as bad as having no security since you gain the sense of security without any real improvement.

Hopefully this article, along with the rest of the blogs in the series to come, will help highlight gaps and missteps before they occur, or before they can do any significant damage to the organization.  As always, the purpose of security is to protect the business from external threats and operational failures. It must support and enhance the business, not detract or impede. If adopted practices do not serve the business they will need to be retooled or removed entirely. Through careful application and regular reviews and modifications, security can become a significant competitive advantage to overall company success.