Organizations face a wide variety of cyber threats, including everything from exploitation of a web application vulnerability to employee negligence leading to a data breach. Protecting the organization against a costly and damaging security incident requires a careful analysis of the potential threats and development of a strategy to mitigate them.
Developing a good cyber security strategy is a multistage process. Every organization’s network infrastructure and threat landscape is slightly different, meaning that no “one size fits all” solution is available.
Building from the ground up
Developing a cyber security strategy should not be a “check the box” exercise. The cyber threat landscape is rapidly evolving, and organizations are extremely likely to be targeted by a cyberattack. Having a plan and infrastructure in place to protect against this is essential to minimizing the threat and impact to the organization.
A cyber security strategy should be based upon an understanding of the organization’s unique risks and exposure to cyber threats. Development of a cyber security strategy should include the following steps.
1. Identify Requirements
The first stage in creating a strategy is identifying requirements. While the end goal of a cyber security strategy is “to reduce risk”, an effective strategy requires much more specific requirements. One source of requirements is an understanding of an organization’s attack surface and the security needs of its devices. Perform an inventory of all of the organization’s systems to provide a complete picture of what the organization must be capable of protecting against.
Regulatory and contractual requirements are also major drivers of an organization’s cyber security strategy. New data protections like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have joined existing ones, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accessibility Act (HIPAA), to expand the regulatory compliance landscape. These regulations (and others like them) may explicitly or implicitly specify certain security controls that organizations under their jurisdiction must have in place to secure protected data. Identify applicable regulations and determine their cyber security requirements as part of preparations for developing a strategy.
2. Perform a Risk Analysis
A cyber security strategy should be designed to decrease an organization’s risk exposure to the greatest extent possible. With limited resources, it is impossible to completely eliminate risk to the organization. However, a well-designed strategy can reduce risk to an acceptable level.
The first step in performing a risk analysis is to gain as complete a picture as possible of the potential cyber risks that an organization faces. Based upon the inventory of an organization’s assets and security resources such as the National Vulnerability Database (NVD), the MITRE ATT&CK framework, and security intelligence feeds, map out potential risks and threats to the organization and existing security gaps.
Based upon this list of risks, the next step is to prioritize remediation of these risks and security gaps. Each threat should be quantified based upon:
- Probability: The likelihood that the organization will in fact face threats
- Impact: The damage and expense caused by the cyber threats if they do occur
- Expense: The resources required to decrease or eliminate the risk posed by the threat
Based upon this information, the organization can properly prioritize the use of available budget to address these risks and perform strategic cyber security investment.
3. Create a Plan
Once an organization has completed a risk assessment, the final step in the process of creating a strategy is creating a plan to act on the risk assessment. This plan can be a subsection of your overall business continuity plan or business plan.
An important first step in this process is ensuring that all necessary stakeholders are involved and invested in the process. In addition to the organization’s security team and CISO, many of the organization’s executives have a vested interest in the company’s cyber security strategy. For example, the CEO must report to shareholders on how the organization is protecting customer data, the legal department should have visibility into regulatory compliance activities, and the CFO needs to understand the security team’s budget requirements to meet short-term and long-term investment goals.
Once the required stakeholders have been gathered, it’s time to develop a roadmap for achieving the organization’s goals. This includes defining milestones and creating a timeline for meeting these goals.
The team should also define clear metrics for evaluating the success of each milestone and the success of the program in general to enable the team to assess current progress. The team should meet regularly to audit the program’s process and make corrections as needed.
Building a Mature Cyber Security Program
A mature cyber security program doesn’t happen overnight. At the beginning, an organization should focus on putting in place essential cybersecurity protections. Over time, additional tools, techniques, and processes should be added to improve the efficiency and effectiveness of the organization’s cyber security program.
Throughout the process of building a mature program, it’s important to revisit and reconsider the organization’s cyber security strategy. New devices, cyber threats, and data protection regulations can introduce new requirements for the program and change current priorities. Frequent reassessments can help the organization to stay on-track and enable it to optimize its investment.