As the number of cyberattacks continues to rise dramatically, many companies are establishing formal security programs for the first time or seeking to optimize existing programs to improve the level of maturity. Massive digital transformation is underway and the shift to mobile, cloud and social channels to drive revenue growth adds a new level of complexity for security leaders. Traditional ways of thinking simply will not work. It is critical to create a security program that is pragmatic given your unique business environment and cyber risk profile. It should be consumable and easy to understand by key stakeholders (not just the security and IT teams) with clear measurements to track progress.
- Building a cyber aware culture: People and culture are key to any transformation and security is no different. Having the right organizational structure, governance model, awareness campaigns and policies are important to ensure everyone knows what part they play in the security program. Employees can be the best first line of defense as attackers more and more go after end-users through means such as phishing. There should also be a security risk management function that is incorporated into your company's broader enterprise risk management framework to ensure the right actions and investments are happening to reduce risk. Clear metrics should be defined to track progress – such as what percentage of your overall IT spend is in security and how does that compare to industry averages?
- Developing an integrated protection strategy: Hackers are persistent and creative and only need to find one way in. Security teams need to focus on reducing the attack surface. Do you have the right network architecture, including segmentation such that an issue in one part of the business doesn't spread to others? Is there integration across your various security solutions to avoid deploying them in silos with no knowledge sharing?
- Continuous security operations: It's important to ‘think like a hacker' and conduct regular red team testing to flush out major vulnerabilities. Having the right level of intelligence and visibility will help with proactive monitoring of your environment, whether leveraging SIEM and Big Data analytics platforms or outsourcing to a managed security services provider. Doing an occasional tabletop exercise or a mock incident is also good to ensure that if a major incident occurs, you know what steps to follow, who to contact, what tools to leverage and how to react…calmly.
There are numerous models to leverage when building out your program, such as ISO or NIST. The key to success is ensuring it is documented, communicated and measured.
Define metrics such as: What percentage of systems are regularly scanned and patched? What percentage of employees have been trained and tested on security topics?
Have you identified and protected the key data assets attackers will likely go after? Do you have strong identity and access controls in place, especially for privileged users?
Whether leveraging SIEM and Big Data analytics platforms or outsourcing to a managed security services provider, having the right level of intelligence and visibility will help.
»Ready to respond
Since incidents are not always avoidable, focus on minimizing business disruption, data loss and customer impact as part of your continuous security operations.