Runnin’ down a dream
A security roadmap is a powerful tool for aligning security processes with business requirements and goals, and improving the general efficacy of the security program. Unfortunately, in the ongoing endeavor to prevent cybercrime, many organizations neglect to create a business-aligned roadmap or forget to update that which was produced a long time ago, in a threat landscape far, far away.
Security roadmaps, however, can reduce the amount of time and effort spent managing security (if written and implemented correctly), plus help to cut program costs and decrease the number of security events teams have to handle.
Developing the organization’s security roadmap is a big undertaking, and while some general guidelines and recommended practices exist, CISOs and their security teams should avoid writing cookie cutter plans which don’t address the organization’s specific needs and environment. The roadmap is the tool through which the security team can determine what’s most important to the company based on the goals and direction of the entire organization (not just the assets it needs to protect), and formulate the most appropriate path.
Creating a solid cybersecurity roadmap helps shape a holistic picture rather than segmenting out every piece of data and information the organization needs to protect. In reality, security cannot weight all assets equally. The roadmap can help security teams understand what’s most important to the company, outline strategies and processes to secure it, and communicate intended outcomes and potential risks, thus facilitating a progression from a reactive, product-buying security posture to one that anticipates real-life threats.
When it comes to cyber readiness, security teams should no longer be talking about individual tools and technologies. Today’s organizations need to build an “immune system” that focuses on detection and response; the stealthiest and most committed adversary will find a way into targets’ systems, regardless of which firewalls or IPSs have been implemented. We’ve seen, too, that prevention is only as good as organizations’ abilities to monitor, maintain, and update systems—creating or revisiting your security roadmap will ensure these action items aren’t overlooked or bypassed.
Assess and Align
The first step in a security roadmap is assessing your business environment and gathering information: What do you have? Where do you have it? How is it currently secured (or not)?
The key during this phase is looking beyond just traditional hardware (laptops/desktops, servers, storage, routers, switches, printers, mobile devices) and data. Software (including any proprietary or open source code upon which software is built), IoT devices, cloud resources, and virtual machines all need to be tracked and classified. Human assets, too, are an element that can’t be ignored: Who has access to what? Is it necessary? Is it appropriate? What can employees/contractors/third parties do with their access?
Understanding what you have is important, but knowing how protection of those assets aligns with business goals is critical, as not all systems or data require equal security measures, time, or attention.
Information gathering could be the longest (and most painful) step in the process of constructing a first-rate roadmap, but it’s also the foundation upon which ensuing steps are built.
It’s very important for the organization to understand its specific vulnerabilities and threats. Not all organizations have the same data, the same levels of protection, or the same adversaries. Looking at the recent WannaCry malware, for example, victim organizations were those that had unpatched Windows systems and had Server Message Block (SMB) v.1 running. If you’d tackled those two action items your organization remained unscathed.
The security roadmap isn’t itself a schedule, but it should indicate intention for vulnerability scans, penetration testing, and other methods of identifying system (hardware, software, human) vulnerabilities. The roadmap should also demonstrate an understanding of one’s threat actor landscape: Who may be targeting your organization? Why? What methods or tools are they most likely to use?
As with security testing, the security roadmap is not a threat intelligence program or full risk assessment and therefore shouldn’t dive into too many details. it is, however, the path along which different programs are laid out so as not to be forgotten.
During this stage of the roadmap the organization develops an actionable strategy for how to protect the assets and the address the vulnerabilities that have been ascertained in the first two steps. Again, this strategy is not focused around individual tools, but instead answers the question, “How are you going to gain enterprise-wide visibility?” Tools can certainly be part of the discussion—they are essential elements of any security program—but they need to be one element in the bigger picture that includes procurement, implementation, maintenance, monitoring, detection, and response capabilities.
To accomplish stated goals, the security roadmap should incorporate a plan for how to strategically manage resources, both budgetary and human. In today’s current cybersecurity environment, industry focus is on hypergrowth—the supply of security practitioners is not enough to meet demand. However, security teams must develop a strategy that aligns with the goals and priorities of the business rather than one that is tied to security operations. If, for instance, company revenue projections are set to increase by 3%, don’t expect to ask for a 100% increase in security funding without some significant data to prove how that increase will help the organization achieve or surpass its intended growth.
In this strategy development phase, the roadmap should look to the future (most experts advise no more than 3-5 years) but also allow for changes that will inevitably occur, be they in company direction, economic or geographic market fluctuation, or the threat landscape itself. Just like with a road trip for which you’ve carefully mapped out your route, but somewhere along the way you learn that a major road has closed, you’ll need to revise your security roadmap as new data becomes available.
The final step in any plan is to communicate it to the appropriate parties. Needless to say, the roadmap should be written in collaboration with relevant stakeholders; because cybersecurity affects the entire organization, ensure that you’re obtaining feedback and agreement from the executive team throughout the process. Formulating a three-year security roadmap only to have the CEO say, “No, we’re not doing that” after it’s complete is a pointless waste of time. Step one—which includes business alignment—is key to preventing this.
As a result, when the time comes to share the roadmap with the organization, you already have buy in from those who can support the security team’s efforts.
It’s important to remember that not everyone who needs to know about the roadmap needs to know everything about the roadmap. When communicating the final plan, be prepared to explain highlights in technical and non-technical terms for those that need it, and focus on translating risks and opportunities rather than fear, uncertainty, and doubt.
Creating or updating the organization’s readiness strategy is a thoughtful and labor-intensive process which, at times, may seem like busywork. Done right, however, a security roadmap can reduce the organization’s risk exposure and streamline actions when a compromise is detected. Frontloading efforts to understand what’s important to the business and how the security team will secure those assets will eliminate some confusion and stress down the road. Though a good security roadmap should not be written in stone, it sets the direction and helps the organization meet its business goals, on time, and with as few obstacles as can be predicted.