There has been a lot of talk about the importance of building a holistic security immune system. That is, an intelligent, integrated way to protect a network using information from many different sources, all of which is ingested by powerful analytics tools to help correlate, prioritize and act on security incidents.
When I put together security transformation programs, I always think of how the team can deliver short-term value with quick wins while also developing strategic, long-term change. To deliver an effective transformation, it is critical to communicate key controls at the board level.
From the top-down, it is important to establish strong information security policies and best practices. Standards such as ISO 27001 and the Information Security Forum’s Standard of Good Practice for Information Security provide an excellent basis for a comprehensive set of controls to protect an organization. However, they take some time to define, agree upon and deploy.
Rapid Change Through Frameworks
Most organizations need to do something rapidly to deliver more effective security. For smaller organizations, the cost of comprehensive frameworks is prohibitive. These companies need to take action now.
To understand what security building blocks are needed for hosting systems, a good starting point is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, with 22 categories and 93 subcategories developed for the U.S. government. The Center for Internet Security’s (CIS) Critical Security Controls framework, which was developed from the SANS Institute’s Top 20 Critical Security Controls, provides a simple checklist, made up of 20 categories with 161 subcategories, developed by industry experts from around the world.
Priming Your Security Immune System
With these frameworks, experts have done the hard work of deciding what is a good set of security controls to deploy in the majority of environments. It’s up to you to determine what has already been deployed, what is appropriate for your environment and how the transformation will take place.
Assessing the Gaps
Both NIST and CIS provide their frameworks in spreadsheets that enable you to perform quick gap analyses of your existing controls. Since there may be multiple IT environments, it’s important to assess each one individually to determine how security is implemented and the maturity of the controls in terms of technology, process and people.
Once you understand the current environment, define the target controls environment. The controls you select will depend on the context of the current environment, your business direction and your appetite for risk. It does not mean you need all the controls, but you need to be comfortable that the company has level-appropriate controls in place in the event of a major breach.
A Road Map of Initiatives
Change will not happen overnight, so it’s important to develop a road map with a mix of quick wins and long-term initiatives to deliver sustained change. Each initiative should deliver value in steps to keep all stakeholders engaged in their investment. Balance the initiatives with security controls to protect, detect and respond to threats. When you think about your immune system, ensure there will be an effective analytics and orchestration capabilities that can grow with your organization and adapt to emerging cybersecurity threats.
Organizations often have multiple tools that do the same job, and have a deployment that is incomplete. Rationalizing or completing the deployment can make a huge difference and represent a quick win. In my experience, I have used a systems management infrastructure to collect data for a security process in a matter of months to avoid the cost and time of deploying a new tool that would have taken years to complete.
Deploy a Service, Not a Product
Any security road map needs to deploy a service, not a product, so be sure to include transformation initiatives for processes and organization. How do you ensure that security is in place or determine who is going to respond to an incident at 3 a.m.? Make sure you get the most of your investment by establishing a minimum effective service before moving onto the next set of technologies.
Adapting to a Volatile Landscape
Transformation will take months or even years, depending on the investment required and the state of the environment. By the time you have completed one project, the threats and business priorities may have changed, so build a program that has regular checkpoints to potentially reset your investment.
The speed of implementation will also depend on the value of the data being processed and the urgency to protect the data from loss of confidentiality, integrity or availability. There is no one-size-fits-all solution, since legal and regulatory frameworks may set a minimum baseline of controls that require rapid transformation meet industry standards. That’s why you need a security immune system that can keep your network secure in real time and respond to shifts in the threat landscape.