How to visualize a security program (in a way that is not overwhelming)
It can be daunting to know how to properly secure your organization from the numerous risks that it faces.
In the past, a business would simply need to lock up each night, but modern times have proven that information security breaches are no longer an unlikely occurrence that only high-profile organizations must protect against. Every organization, regardless of size or industry, must consider how to properly keep critical operations and information secure.
Aligned with our vision of security for all, we want to help our clients understand their landscape of risks and vulnerabilities. We owe that to them. To a large degree this is what gets us out of bed in the morning and it is immensely rewarding to help clients understand these challenges in a manner that sets them up to take confident action. So how do we help them with this? Well, I’d like to share a few takeaways with you from the course of our work assessing and building security programs.
Anticipate first steps and next steps
One thing we consistently anticipate is helping prepare our clients for recommendations that are likely to come back after a risk or security assessment. This is particularly true for organizations operating at smaller than enterprise scale.
Our approach is to detail a list of effective recommendations without overwhelming you, and provide you the directional plan that can be executed upon independent of our help. But if we are not careful to position these items the right way, it can result in feeling like you have just received a flat list of things that need to be accomplished that’s much longer than you ever expected.
This approach can especially provide additional value for smaller organizations that can’t accommodate staffing full-time roles or throwing large amounts of point-in-time funding to cover all their bases. “Depth and defense” is a phrase commonly used in the cyber space, and that makes sense, but there are many ways to go about trying to hit on an implementation that reflects those principles and applies it to your organizations current scenario.
Consider through a lens of business and real world context
Thinking through a tiered framework in the following three categories will help you visualize what’s appropriate for your organization in both a business and real-world context: securing the perimeter, layering additional defenses, and building resilient capabilities.
1. Securing the Perimeter
This bucket of controls includes those that typically come to mind when one thinks of securing an organization. It includes such things as securing your network and controlling devices, otherwise known as end points.
When you want to protect something of value perhaps the most obvious way to do so is to build something around it that makes it hard to penetrate.
Relative to your home, for example, it’s why you have locks on your doors and windows and why you may use electronic or digital systems to control access. It is also why you might consider strategic implementation of lighting and cameras to further harden the exterior. The easiest way to protect something in your home is to make it almost impossible for the wrong person to access it.
In our organizations, much of this comes in the form of making sure our networks include controls to keep unintended persons and systems from accessing. These items are a moving target because of the way that the threat landscape is constantly evolving. It’s impossible to stay on top of this without some form of specialization.
Additionally, it’s impossible to maintain the integrity of the network if the devices authorized to access it are not appropriately secured. These “end points” can include laptops, phones, tablets, printers and other technical assets.
These need to be carefully and thoughtfully controlled as to prevent an otherwise secure network from being too easy to access.
In a way, people are end points too. Our habits, routines and practices need to be guided as to help prevent unsafe intrusion to the organization’s valuable assets.
Securing the perimeter is the critical first step in protecting your organization. But no perimeter can be hardened to the point that it could never be breached.
2. Layering Additional Defenses
As such, your organization needs to implement additional controls as to protect your assets when the perimeter is eventually breached. This is part of the “depth” of an appropriately strong defense.
In your home you might put your most valuable assets in a safe. And that safe will likely not be put in a room with easy access. Valuables that are too large to go into a safe are likely going to be placed carefully into a space that would make it hard for the wrong person (a bad actor) to extricate them.
In our organizations these largely take the form of what we call access controls. For example, are your staff in the habit of locking their workstation when leaving it unattended? Do workstations automatically lock after a defined period of inactivity? Are locked workstations protected with strong and hard to guess credentials? Are the most valuable technical and digital assets protected by multi-factor authentication (MFA)? These are just a few examples.
The list of the layered controls that make sense for your organization will largely be shaped by its contextual characteristics. There is no one-size-fits-all set of requirements. If the wrong person got past your perimeter, would it still be a lot of work for them to get to your most valuable assets? If the right layered controls are in place, it should be. Even still, there is no way to ensure a breach will never occur even inside the most well-protected organization.
3. Building Resilient Capabilities
The assets and systems that need to be reliably available and operational in order for your organization to execute its mission need additional considerations. This also applies to things that would be very expensive to replace or reconstruct.
In your home, you likely have insurance to account for this contingency. However, a few items may not be able to be immediately replaced if compromised. In those cases, you might keep a backup on hand.
From an organizational standpoint this is why it’s so important to ensure that your most important data and system configurations are backed up on a defined schedule and that the ability to restore systems and files from backups is regularly tested. It’s also why organizations need to take Disaster Recovery and Business Continuity planning so seriously.
What are those things that, if lost for a certain duration, would jeopardize revenue, critical services, and your organization’s reputation beyond respective tolerances? The answers to this question should help you understand the things that need to be well-considered from a resilience standpoint.
In summary, a list of cyber recommendations, security vulnerabilities, and other types of remediation can seem overwhelming especially at the conclusion of an exercise or assessment intended to identify all the threats respective to your organization’s landscape. But it might help to think of each item as fitting into one of the 3 above categories.
To adequately protect your organization, consider ways to secure your perimeter, thoughtfully control layered defenses, and have your most critical capabilities implemented with the right amount and type of resiliency. If you would like help evaluating the security needs of your organization, feel free to contact us below and we would be glad to connect for a discovery call.
Glen Willis is a cybersecurity and privacy leader with more than 20 years of experience in the technology industry. He has worked across numerous domains from data center operations to software delivery and strategic governance functions. He is passionate about helping organizations solve for their most challenging issues and deliver on their most important strategic initiatives.
Outside of work Glen enjoys teaching and coaching basketball to young people hoping to learn and grow through sports. He believes in bringing one’s whole self and passion to everything he does for the purpose of enriching the lives and growth of others at any opportunity.