Steps to Build your Cybersecurity Program
Cybersecurity Programs have become a “top of mind” priority for most organizations. As the number of cyberattacks increase and cybercriminals become more sophisticated, organizations must deploy additional defenses and safeguards to secure their operations and the data entrusted to them.
Keeping abreast of the new cyber threats and challenges created by expanding attack surfaces and an evolving threat landscape requires a structured, strategic approach to cybersecurity. Totem previously published a “Top Five” list of steps that organizations should take to achieve a minimum level of security against cyber threats.
However, an organization isn’t “done” or “secure” after taking these steps. Protecting against cyber threats is an ongoing process.
#1 Identify Requirements
The first step in this process is identifying the requirements that an organization’s cybersecurity strategy and team must meet. These requirements can come from a variety of places, including:
- Data privacy laws (such as the GDPR and CCPA)
- Laws protecting certain types of sensitive data (such as HIPAA and PCI DSS)
- Contractual obligations (such as compliance with the CMMC or being considered a “business associate” under HIPAA)
- Internal requirements driven by customer and business needs
While achieving compliance with these requirements does not make an organization “secure,” they outline minimum requirements that an organization must meet. Additionally, considering compliance and contractual requirements early in the process enables an organization to map out in advance how implemented security controls align with requirements, simplifying audit processes.
#2 Define the Desired Security Baseline
The requirements identified in the previous step can then be used as inputs in the development of a security baseline. This baseline should outline the security controls that an organization plans to put in place in order to achieve compliance with these requirements, as well as any other controls necessary to ensure the security of the organization’s data and systems.
When developing a baseline plan, it is a good idea to use a standard framework, such as those published by NIST or CIS. These frameworks outline security best practices for organizations of any size and provide a good starting point for an organization’s security plan. From there, additional controls can be added as necessary to meet any requirements not covered by the selected framework.
#3 Perform a Risk Assessment
The next step in building a mature cybersecurity program is identification of security gaps or misconfigurations that could pose a threat to the organization. This should be accomplished via a risk assessment.
A risk assessment is intended to quantify the risk posed to an organization by various potential threats. A risk assessment is a multistage process:
- Attack Surface Mapping: An organization’s attack surface consists of all of the systems that an attacker could exploit to attack the organization. This includes public-facing systems, such as web applications and email, and any other systems that could be used or targeted in an attack.
- Threat Identification: Every system within an organization could be potentially exploited in a number of different ways. Potential threats can be identified by performing vulnerability scanning (to identify missing patches and misconfigurations) and architectural review (to determine if the current design meets or exceeds the requirements of the security baseline).
- Risk Quantification: Risk assessments are designed to quantify threats to an organization based upon the probability that an attack will occur (low, medium, or high) and the expected impact if it did occur (low, medium, or high). This quantification should be performed for every identified system on the organization’s attack surface and every threat that it could face.
The result of the risk assessment should be a list of identified gaps between the organization’s current security posture and the ideal. These risks can be used to update the organization’s security baseline to reflect potential threats not identified previously.
#4 Implement the Security Baseline
Every security team has constraints on its ability to secure the organization. Common constraints include limited budgets and access to skilled personnel. As a result, it may be difficult or impossible to remediate all potential threats to the organization.
This is where the risk quantification created during the risk assessment comes into play. As a result of the risk assessment, an organization has a list of problems to remediate with an associated risk value.
This list can be cross-referenced with the cost of remediating each potential vulnerability to create a remediation strategy. Some risks may be remediated immediately, while others may require long-term investment or even be accepted as infeasible to fix.
Building this strategy requires collaboration across the organization, especially at the executive level since strategic investments may fall under the purview of the CEO and CFO. Once a plan is created and agreed upon, the organization should put it in place and review it regularly (performing updated risk assessments) to track the changing cyber threat exposure.
#5 Grow the Program
Implementing a cybersecurity baseline is an ongoing challenge for organizations. As new platforms and cyber threats emerge, new plans and strategic investments will be required to address them.
However, even implementing the security controls outlined in an organization’s security baseline is not enough to protect the organization. Mature cybersecurity teams have a number of additional policies and procedures in place to minimize the impact of a potential cybersecurity incident.
#6 Round-the-Clock Security Monitoring
Cybercriminals do not only attack during an organization’s core business hours. This is true if only because cybercriminals aren’t always in the same timezone as their targets.
The cost of remediating a cybersecurity incident is directly tied to the time between the initial attack and the response. For this reason, organizations should deploy 24/7 security monitoring on their networks in order to ensure that threats are detected and responded to as soon as possible.
#7 Creation of an Incident Response Plan
One of the requirements for this round-the-clock monitoring team is the ability to respond to and remediate an incident once it occurs. Delays or mistakes in doing so can be costly since they could allow the attacker to expand their foothold on the network and possibly achieve their operational objectives, such as a ransomware infection or data breach.
Minimizing delays and mistakes in incident response requires the development of an incident response plan that lays out how an organization should handle different scenarios and how to adapt to unexpected events. This plan should also include plans for notifying key personnel, such as executive stakeholders and specialists that may need to be called in as part of the response efforts.
#8 Investment In Security Automation
While some cyberattacks last for months or even years, others can be completed in seconds. The speed of an organization’s response to these attacks can determine their success or failure.
For this reason, it is wide for an organization to invest in strategic security automation. This can include everything from automated data collection and alert correlation to automated responses for common threat scenarios. By removing the human from the loop whenever possible, and making them as efficient as possible when full automation is possible, an organization can enable rapid and scalable threat detection and response.
#9 Performing Proactive Threat Hunting
Many organizations take a preventative and reactive approach to cybersecurity. This includes deploying defenses to block attacks and to generate alerts on any suspicious behavior. By investigating and responding to these alerts, the security team can identify and remediate most potential incidents.
However, some cyber threat actors have the knowledge and sophistication necessary to slip past an organization’s security architecture without detection. These cybercriminals can operate indefinitely on an organization’s network under the radar.
Identifying and remediating these threats requires a proactive threat hunting program, where skilled cybersecurity personnel seek out indications of a breach that slipped past their defenses. Doing so requires access to the right talent and tools, as described in an earlier article.
#10 Improving Cybersecurity Maturity
Building a mature cybersecurity program is an ongoing process as an organization identifies and addresses new potential threats to its digital security. The first step in this process is creating, meeting, and maintaining a baseline level of security that meets internal and external requirements. From there, an organization can take additional steps to improve its security posture, such as implementing round-the-clock security monitoring and performing proactive threat hunts.