Cybersecurity playbook: Strategy
With no CISO/CSO, how can you make cybersecurity a core part of your culture and business strategy, and maybe even a competitive advantage? Here’s a roadmap to get you going until you can hire one. This is the third article in the cybersecurity playbook series. The series begins with an overview: What to do when there is no CSO.It was followed by your playbook for critical services.
In this third article in the cybersecurity (CS) playbook series, we will look at your CS strategy: your framework of goals and choices that provide direction for future decisions.
Your CS strategy must be a solid but evolving pattern in a stream of decisions, within a larger stream of events and evolving conditions (SolarWinds, MS Exchange). In addition to providing the means to reach strategic IT goals, your strategy must possess two key qualities:
1. CS strategy must have a direct link to the organization’s strategy
2. CS strategy must deliver measurable value.
Your CS strategy will guide your future decisions and tell you how they should be executed. For example, it’s not debatable that a key goal of your strategy will be to protect the the organization, but the question of how you will achieve that goal is critical; it is a strategic decision that informs and guides you, the executive and your teams.
Protect the organization by fully adopting a cybersecurity framework
My advice has been to fully adopt a cybersecurity framework (SANS/NIST/ISO). In addition to managing cyber risk, there is one very big benefit for you: it allows you to answer the key questions that may be asked by your CEO or board: How much is our risk? Are we sufficiently protecting our key assets? What do we need to do in the future?
Enable business growth by…
Believe it or not, your CS strategy can be a key enabler of business growth. If your organization is seeking investors, partners or a relationship as a supplier, there will undoubtedly be a security assessment component of their due diligence. A CS framework will allow you to provide a full accounting of your current cybersecurity posture and roadmap. Being able to quickly send a potential client a six-page document describing your security posture could go a long way to differentiating you from the competition.
Your security posture will also make a difference in how readily your organization can take on new risk. Having the policies, people, processes and technology in place will allow you to add new people, new software, or new suppliers with greater confidence that new risks can be identified, assessed, mitigated and included in your incident response plans.
Finally, if your cybersecurity chops are on-point, then you can conduct your own vendor security assessments with greater confidence and speed. It may also be possible for you to spread the love and help your vendors to improve their own CS postures.
No/low budget strategy
If you’re in the low-budget/no-budget category then you’ll want to review this solution from SANS Institute: A Small Business No Budget Implementation of the SANS 20 Security Controls. Unfortunately, this document was written in 2011 and in the last 10 years, many of the free technology suggestions no longer exist. The good news is that in the 10 years, there has been an explosion of free and open source (FOSS) solutions in the cybersecurity space. So, don’t hesitate to use the SANS document as a guide — their 20 security controls are still the right 20 controls, you’ll just have to do a bit more work to choose the implementation details. The secret to success here is to make technology choices that allow you to integrate as much information as possible.
For those with a budget, make a CS platform your centerpiece
Your CS team may hate me for saying this, but don’t waste your time designing the perfect suite of point solutions. I’m not saying that there won’t be great use cases for a particular point solution, I’m saying: think about the next five years. You’re up against continuing digital transformation leading to larger attack surface and greater challenges integrating the event/log data from all this transformation; increasing complexity in your technology stacks from device to multicloud; dissolution of your security perimeter; a rapidly evolving and somewhat hidden threat landscape; increased use of automation and ML/AI by threat actors; all capped by serious challenges in hiring the CS talent you need.
Instead of spending precious resources on low-value activities like choosing, buying, installing, learning and operating a suite of point solutions, you should buy a cybersecurity platform that you can grow with and optimize over the next five years. This will free your CS team to perform the high-value activities like actual threat hunting and response, enforcing policy, risk assessment and threat modeling, upskilling and so on.
To be clear, I am advising that you choose a platform like CrowdStrike Falcon, Check Point R81, Sentinel Singularity, or one of the other cybersecurity platform solutions and make it the centerpiece of your CS strategy. Full disclosure: I have zero relationships, of any sort, with any vendor in the cybersecurity space.
Protecting the customer
If your organization is truly customer-focused then it makes good business sense the focus your CS strategy on protecting the customer, which means protecting their data, not just personally identifiable information (PII), but their sales/order data as well. If your org is B2B, then would it help any of your customer’s competitors to know what they are spending their money on? But your CS responsibilities go beyond just ensuring confidentiality; there are also threats to integrity and availability, or from the STRIDE treat modeling perspective, there are threats from: Spoofing; Tampering; Repudiation; Information disclosure; Denial of service; Elevation.
Your best course of action is to start with your web and mobile apps and follow the recommendations of the Open Web Application Security Project (OWASP). They have: Mobile Application Security Verifications Standards (MASVS), Mobile Security Testing Guide (MSTG), and the Mobile Security Testing Checklist, all described very nicely right here: OWASP Mobile Security. For regular web apps, you can start with the Top 10 Web Application Security Risks and the Web Security Testing Guide.
NIST should be your next stop. They have an unmatched set of resources for improving your data security posture, a privacy framework, and my all-time favorite: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events.
There is more to say on the cybersecurity topic but I am out of space at the moment. Let me close with a short list of the key pieces that remain:
- Socialize your strategy with leadership (use a communication matrix — topics:people).
- Choose metrics that focus on strategic goals and show business value — avoid tech speak.
- IMHO You can’t create your roadmap and plan without the solid foundation of a CS framework.
- The threat landscape is continually evolving; your strategy must evolve, too.
- Cyber hygiene (not cybersecurity) is everyone’s responsibility — this is a key message to socialize.
I will be continuing this series over the coming days and weeks. I look forward to positive comments and questions!
