[BreachExchange] How to build a comprehensive cyber security strategy

Destry Winant destry at riskbasedsecurity.com
Mon Jul 22 09:36:04 EDT 2019


https://www.itpro.co.uk/security/34049/how-to-build-a-comprehensive-cyber-security-strategy

Most, if not all businesses know the importance of protecting
themselves against cyber threats. If your organisation is breached the
consequences can be serious, both reputationally and – thanks to GDPR
– financially.

Therefore, it's important to have an effective cyber strategy, but
it's not always easy to put something in place that provides
comprehensive coverage. The work doesn't stop at implementation,
either – the strategy needs to be regularly reviewed to ensure
continued compliance with legislative and regulatory requirements, as
well as adhering to internal rules.

Ownership, mandate and scope

In order to build a functional and comprehensive cyber security
strategy, you need to have a mandate at the most senior level of the
organisation. This means the Chief Security Officer (CSO), Chief
Technology Officer (CTO) or someone in a similar role should have
responsibility. The implications of GDPR on data security need to be
understood and built into the plan and the senior officers must ensure
both they and senior managers are aware of their responsibilities.

Outsourcing some or all of the actual work will be attractive to many
organisations. Advantages to this approach include a fresh
perspective, access to skills that might not be available in-house,
and the ability to work faster than if internal staff, with their
ongoing role responsibilities, take the work on. But external support
needs to be very well directed and managed, to ensure the right
outcomes are achieved. Collaboration with an external organisation,
rather than total outsourcing, may be a better way forward.

It's also vital that a cyber security strategy is scoped as a business
enabler, not something that will get in the way of people trying to do
their jobs. Adam Toulson, managing director at Accenture Security,
tells IT Pro: "Success requires more than just threat detection and
compliance. A good security strategy should always complement the
business strategy rather than stifling it."

Organisations also need to bear in mind that a strategy must be both
comprehensive and achievable. That's not necessarily an easy balance
to achieve. Toulson advises: "Keeping it simple, with a maximum of
five or six key objectives, will ensure that everyone is bought into
the strategy and is working towards the same goal."

Don't leave anything to chance

If you sit down and make a list of everything that's got to be covered
in a cyber security strategy, plenty of things will easily spring to
mind. You'll likely focus right from the start on the obvious
technology and on the data that it holds. Kevin Curran, professor of
cyber security at Ulster University and a senior member of the IEEE
offers a starter list: "All aspects relating to the protection of data
need to be considered. This includes examining security of physical
locations and employee access, data storage, data backups, network
security, compliance and recovery procedures, and of course all IoT
devices."

But there's a lot more to a comprehensive cyber security strategy than
those more obvious areas. One area that's very easy to omit or only
pay partial attention to is software. Before rolling out any strategy,
you should do a full software audit of your organisation. As a
minimum, you need to record all software in use, where it was sourced,
what the contractual agreements are for payment, how frequently and
through what mechanism it's updated (is this done in house and if so
by whom, how often, where are the update logs kept), and who has
ownership.

This might be a bigger task than you think. Ownership might not be
with the IT team – indeed, you may find software that's crept in
completely under the radar. In all these scenarios, you need to
establish whether or not the owner fully aware of their
responsibilities and, if they're not, educate them or consider moving
ownership over to the IT department.

What about people and partners?

A cyber security strategy needs to take account of the risk people can
bring. As Curran says: "People are often the weakest link in security,
therefore it is important to ensure all employees are well trained on
aspects such as cyber security best practice like phishing and data
sharing practices, keeping software updated, unique strong passwords,
enabling two-factor authentication and so on."

Curran also points out that people often don't learn till they've been
bitten. Some organisations are attempting to tackle this by sending
out phishing emails containing fake malware to educate those who
click, for example.

An ongoing process

If a comprehensive cyber security strategy is being set up for the
first time, it will take a while. There might be some digging around,
some forced changes to the ways in which some people work day to day
and, depending on your strategy for controlling shadow IT, some
disgruntled staff to deal with.

Once this is all done, maintaining the strategy should be an ongoing
process, with frequent enough audits to ensure compliance and regular,
ongoing messaging to help prevent infractions. As Curran puts it:
"Organisations need to maintain their internal standards and conduct
regular audits of all connected devices and security risks including
physical. Without regular audits the process becomes toothless."


More information about the BreachExchange mailing list