With the continued rise in cyber-crime and the devastating impact incidents can have on companies, many businesses are now looking to establish their first security program. For small and medium-size businesses (SMB), this can be a daunting task. Focused on growing revenue and “keeping the lights on,” many young companies outsource their information technology and cybersecurity services to managed service providers (MSP). This outsourcing allows the SMB to focus critical resources on business operations and the trusted partner can provide required technology services. That, for the most part, has been the norm, however many MSPs now are offering distinctive security services and changing their business offerings to become managed security service providers (MSSP).
However, even with these new security service portfolio offerings there comes a time when a company is mature enough to start laying the foundation for their enterprise security program. For those initiating this course of action for the first time, there are five actions or rather stages, I would recommend organizations take to be successful.
The first stage a company will conduct in building their security program revolves around the fundamental concept of having visibility into what is on a company’s networks. Here the business will conduct an inventory of people and IT assets that access the networks, current IT and cybersecurity reports, any security metrics, policies and current security work processes. The business will also want to establish the first budget for security services and possibly review any current security contracts. This is a continuous process that will need to be established.
During this stage one of the last steps is assessing the current network and security architectures, work processes and standing policies. It’s this step where the business will get some insight into their “cyber hygiene,” where they will find policies and procedures that will need to upgraded and possible architectural changes to reduce the businesses risk exposure. At the end of this stage, the company should have a working asset management program, an understanding of the current network infrastructure and valuable insight into how company data is being accessed, used and stored at rest.
In the previous stage the business gained critical visibility into its assets, but now it’s time to get dirty. The business needs to get a better understanding of its technology and business operations risk as measured against an established risk management framework such as NIST 800-53d or ISO 27001 for example. It is in this stage, the business should review its “security stack” and document its installed security solutions such as firewalls, AV solutions, IDS/IPS sensors, etc., and security procedures that are in place such as patch management, incident response, and vulnerability remediation to name a few.
The newly upgraded network diagrams the business created from the inventory stage will be useful here to help the organization’s IT, and any security personnel better understand the current effectiveness of installed security controls and annotate areas for improvement. Businesses will find this stage is the most technical of the five; they should not be afraid to ask for third-party vendor assistance to conduct these assessments and provide recommendations. By the end of the assessment step, they will have a list of security gaps that should become future projects that must be prioritized based on the risk exposure and impact to business operations.
Here is where the business should begin building out its security plan by drafting the vision for upgrading their organization’s current cybersecurity strategy (if one exists). They should first review the current security program, and any currently identified challenges such as a lack of executive support, incomplete inventories (e.g., organizational blind spots related to hardware, software and systems), previously identified audit gaps, and immature security processes. Once the business has completed this review, they should have a list of risk exposures that need remediation. Prioritizing the findings based on their threat to business operations, exposure to meeting compliance requirements, and any possible unauthorized access to sensitive business data, is useful. The business will want to identify any issues that can be addressed quickly and provide value to the organization once corrected. What matters here is in establishing a new security agenda. This prioritized list should also be used by the business to update its strategic business plan and fashion a new budget based on current projects to mitigate the identified security issues.
The repercussions of today’s digital attacks (such as phishing emails and malware infections) on businesses intertwined infrastructures can result in loss of sensitive data and critical services to the business itself or its customers. To counter these ever-evolving threats, businesses both small and large need to focus on doing the basic security processes and controls correctly and continuously. It’s about businesses laying the equivalent of a digital foundation on which they can then build their networks and provide data and applications to their employees and customers securely. The methodologies businesses follow to do basic security processes are referred to as “cyber hygiene.”
Some services that are considered to be cyber hygiene are services like deploying firewalls, updating anti-virus definitions, running vulnerability scans, selecting and maintaining identification and authorization mechanisms, updating and implementing software patches, backing-up essential business data and securing personal data. Now understand, the previous list is not all-inclusive, many services are considered to be cyber hygiene – it all depends on the business environment and the deployed technologies in use. It is important is for the business to build a resilient security program by establishing a mature continuous process of managing these services to reduce the organization’s threat profile.
By this final stage, businesses should have an active asset inventory program in place, completed a risk assessment of their current technology and application portfolios, possess a list of current deficiencies that have been prioritized based on the impact to business operations, reviewed all IT and security processes that qualify as cyber hygiene, and committed resources to ensure they’re incorporated into the new security program.
Now, this leads businesses to their final stage in establishing an enterprise security program: someone to manage it. When businesses are small, typically IT and security services will be managed by a handful of harried employees and strategic support will be provided by a trusted MSP. However, when a company matures to be between 100 to 300 employees, management teams start having the “we need to have a security program” discussion. In establishing all of the above processes and services required to build that security program, the most critical piece the organization must complete is hire someone with experience to take responsibility for and lead this program.
Unfortunately, not having a security program manager often times can result in underfunded security programs as the business may lack visibility into the programs strategic value. This is why companies need to select a security program manager as they build their security program. Having a senior security leader will provide the business with a professional who can educate the business on its risk exposure and develop options to mitigate these issues.
Security, when it is broken down into its base components, is a discussion on risk and the impact it has on business plans and operations. This risk is what drives companies, as they mature, to establish their first security programs.
As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.
Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.