How to visualize a security program (in a way that is not overwhelming)
It can be daunting to know how to properly secure your organization from the numerous risks that it faces.
In the past, a business would simply need to lock up each night. Still, modern times have proven that information security breaches are no longer an unlikely occurrence that only high-profile organizations must protect against. Every organization, regardless of size or industry, must consider how to keep critical operations and information secure properly.
Aligned with our vision of security for all, we want to help our clients understand their landscape of risks and vulnerabilities. We owe that to them. To a large degree, this gets us out of bed in the morning, and it is immensely rewarding to help clients understand these challenges in a manner that sets them up to take confident action. So how do we help them with this? Well, I’d like to share a few takeaways with you from the course of our work assessing and building security programs.
Anticipate the first steps and next steps
One thing we consistently anticipate is helping prepare our clients for recommendations that are likely to come back after a risk or security assessment. This is particularly true for organizations operating at smaller than enterprise scale.
Our approach is to detail a list of effective recommendations without overwhelming you and provide you with a directional plan that can be executed independently of our help. But if we are not careful to position these items the right way, it can result in feeling like you have just received a flat list of things that need to be accomplished that’s much longer than you ever expected.
This approach can provide additional value for smaller organizations that can’t accommodate full-time staffing or throw large amounts of point-in-time funding to cover all their bases. “Depth and defense” is a phrase commonly used in cyberspace, which makes sense. Still, there are many ways to go about trying to hit on an implementation that reflects those principles and applies them to your organization’s current scenario.
Consider through a lens of business and real-world context
Thinking through a tiered framework in the following three categories will help you visualize what’s appropriate for your organization in both a business and real-world context: securing the perimeter, layering additional defenses, and building resilient capabilities.
1. Securing the Perimeter
This bucket of controls includes those that typically come to mind when one thinks of securing an organization. It includes such things as securing your network and controlling devices, otherwise known as endpoints.
When you want to protect something of value, perhaps the most obvious way to do so is to build something around it that makes it hard to penetrate.
Relative to your home, for example, you have locks on your doors and windows and may use electronic or digital systems to control access. It is also why you might consider the strategic implementation of lighting and cameras to harden the exterior further. The easiest way to protect something in your home is to make it almost impossible for the wrong person to access it.
In our organizations, much of this comes in the form of making sure our networks include controls to keep unintended persons and systems from accessing. These items are a moving target because of the way that the threat landscape is constantly evolving. It’s impossible to stay on top of this without some form of specialization.
Additionally, it’s impossible to maintain the integrity of the network if the devices authorized to access it are not appropriately secured. These “endpoints” can include laptops, phones, tablets, printers, and other technical assets.
These must be carefully and thoughtfully controlled to prevent an otherwise secure network from being too easy to access.
In a way, people are endpoints too. Our habits, routines, and practices need to be guided to help prevent unsafe intrusion to the organization’s valuable assets.
Securing the perimeter is the critical first step in protecting your organization. But no perimeter can be hardened to the point that it could never be breached.
2. Layering Additional Defenses
As such, your organization needs to implement additional controls as to protect your assets when the perimeter is eventually breached. This is part of the “depth” of an appropriately strong defense.
You might put your most valuable assets in a safe in your home. And that safe will likely not be put in a room with easy access. Valuables that are too large to go into a safe are likely going to be placed carefully into a space that would make it hard for the wrong person (a bad actor) to extricate them.
In our organizations, these largely take the form of what we call access controls. For example, are your staff in the habit of locking their workstation when leaving it unattended? Do workstations automatically lock after a defined period of inactivity? Are locked workstations protected with strong and hard-to-guess credentials? Are the most valuable technical and digital assets protected by multi-factor authentication (MFA)? These are just a few examples.
The list of the layered controls that make sense for your organization will largely be shaped by its contextual characteristics. There is no one-size-fits-all set of requirements. If the wrong person got past your perimeter, would it still be much work for them to get to your most valuable assets? If the right layered controls are in place, it should be. Even inside the most well-protected organization, there is no way to ensure a breach will never occur.
3. Building Resilient Capabilities
The assets and systems that need to be reliably available and operational in order for your organization to execute its mission need additional considerations. This also applies to things that would be very expensive to replace or reconstruct.
In your home, you likely have insurance to account for this contingency. However, a few items may not be able to be immediately replaced if compromised. In those cases, you might keep a backup on hand.
From an organizational standpoint, this is why it’s so important to ensure that your most important data and system configurations are backed up on a defined schedule and that the ability to restore systems and files from backups is regularly tested. It’s also why organizations must take Disaster Recovery and Business Continuity planning seriously.
What are those things that, if lost for a certain duration, would jeopardize revenue, critical services, and your organization’s reputation beyond respective tolerances? The answers to this question should help you understand the things that need to be well-considered from a resilience standpoint.
In summary, a list of cyber recommendations, security vulnerabilities, and other types of remediation can seem overwhelming, especially at the conclusion of an exercise or assessment intended to identify all threats to your organization’s landscape. But it might help to think of each item as fitting into one of the 3 above categories.
To adequately protect your organization, consider ways to secure your perimeter, thoughtfully control layered defenses, and have your most critical capabilities implemented with the right amount and type of resiliency. If you would like help to evaluate your organization’s security needs, please get in touch with us below, and we would be glad to connect for a discovery call.
Glen Willis is a cybersecurity and privacy leader with more than 20 years of experience in the technology industry. He has worked across numerous domains from data center operations to software delivery and strategic governance functions. He is passionate about helping organizations solve for their most challenging issues and deliver on their most important strategic initiatives.
Outside of work Glen enjoys teaching and coaching basketball to young people hoping to learn and grow through sports. He believes in bringing one’s whole self and passion to everything he does for the purpose of enriching the lives and growth of others at any opportunity.