There has been a lot of talk about the importance of building a holistic security immune system. That is, an intelligent, integrated way to protect a network using information from many different sources, all of which is ingested by powerful analytics tools to help correlate, prioritize and act on security incidents.

When I put together security transformation programs, I always think of how the team can deliver short-term value with quick wins while also developing strategic, long-term change. To deliver an effective transformation, it is critical to communicate key controls at the board level.

From the top-down, it is important to establish strong information security policies and best practices. Standards such as ISO 27001 and the Information Security Forum’s Standard of Good Practice for Information Security provide an excellent basis for a comprehensive set of controls to protect an organization. However, they take some time to define, agree upon and deploy.

Rapid Change Through Frameworks

Most organizations need to do something rapidly to deliver more effective security. For smaller organizations, the cost of comprehensive frameworks is prohibitive. These companies need to take action now.

To understand what security building blocks are needed for hosting systems, a good starting point is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, with 22 categories and 93 subcategories developed for the U.S. government. The Center for Internet Security’s (CIS) Critical Security Controls framework, which was developed from the SANS Institute’s Top 20 Critical Security Controls, provides a simple checklist, made up of 20 categories with 161 subcategories, developed by industry experts from around the world.

Priming Your Security Immune System

With these frameworks, experts have done the hard work of deciding what is a good set of security controls to deploy in the majority of environments. It’s up to you to determine what has already been deployed, what is appropriate for your environment and how the transformation will take place.

Download the security immune system brochure

Assessing the Gaps

Both NIST and CIS provide their frameworks in spreadsheets that enable you to perform quick gap analyses of your existing controls. Since there may be multiple IT environments, it’s important to assess each one individually to determine how security is implemented and the maturity of the controls in terms of technology, process and people.

Target Environment

Once you understand the current environment, define the target controls environment. The controls you select will depend on the context of the current environment, your business direction and your appetite for risk. It does not mean you need all the controls, but you need to be comfortable that the company has level-appropriate controls in place in the event of a major breach.

A Road Map of Initiatives

Change will not happen overnight, so it’s important to develop a road map with a mix of quick wins and long-term initiatives to deliver sustained change. Each initiative should deliver value in steps to keep all stakeholders engaged in their investment. Balance the initiatives with security controls to protect, detect and respond to threats. When you think about your immune system, ensure there will be an effective analytics and orchestration capabilities that can grow with your organization and adapt to emerging cybersecurity threats.

Quick Wins

Organizations often have multiple tools that do the same job, and have a deployment that is incomplete. Rationalizing or completing the deployment can make a huge difference and represent a quick win. In my experience, I have used a systems management infrastructure to collect data for a security process in a matter of months to avoid the cost and time of deploying a new tool that would have taken years to complete.

Deploy a Service, Not a Product

Any security road map needs to deploy a service, not a product, so be sure to include transformation initiatives for processes and organization. How do you ensure that security is in place or determine who is going to respond to an incident at 3 a.m.? Make sure you get the most of your investment by establishing a minimum effective service before moving onto the next set of technologies.

Adapting to a Volatile Landscape

Transformation will take months or even years, depending on the investment required and the state of the environment. By the time you have completed one project, the threats and business priorities may have changed, so build a program that has regular checkpoints to potentially reset your investment.

The speed of implementation will also depend on the value of the data being processed and the urgency to protect the data from loss of confidentiality, integrity or availability. There is no one-size-fits-all solution, since legal and regulatory frameworks may set a minimum baseline of controls that require rapid transformation meet industry standards. That’s why you need a security immune system that can keep your network secure in real time and respond to shifts in the threat landscape.

Download the security immune system brochure

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today