There has been a lot of talk about the importance of building a holistic security immune system. That is, an intelligent, integrated way to protect a network using information from many different sources, all of which is ingested by powerful analytics tools to help correlate, prioritize and act on security incidents.

When I put together security transformation programs, I always think of how the team can deliver short-term value with quick wins while also developing strategic, long-term change. To deliver an effective transformation, it is critical to communicate key controls at the board level.

From the top-down, it is important to establish strong information security policies and best practices. Standards such as ISO 27001 and the Information Security Forum’s Standard of Good Practice for Information Security provide an excellent basis for a comprehensive set of controls to protect an organization. However, they take some time to define, agree upon and deploy.

Rapid Change Through Frameworks

Most organizations need to do something rapidly to deliver more effective security. For smaller organizations, the cost of comprehensive frameworks is prohibitive. These companies need to take action now.

To understand what security building blocks are needed for hosting systems, a good starting point is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, with 22 categories and 93 subcategories developed for the U.S. government. The Center for Internet Security’s (CIS) Critical Security Controls framework, which was developed from the SANS Institute’s Top 20 Critical Security Controls, provides a simple checklist, made up of 20 categories with 161 subcategories, developed by industry experts from around the world.

Priming Your Security Immune System

With these frameworks, experts have done the hard work of deciding what is a good set of security controls to deploy in the majority of environments. It’s up to you to determine what has already been deployed, what is appropriate for your environment and how the transformation will take place.

Download the security immune system brochure

Assessing the Gaps

Both NIST and CIS provide their frameworks in spreadsheets that enable you to perform quick gap analyses of your existing controls. Since there may be multiple IT environments, it’s important to assess each one individually to determine how security is implemented and the maturity of the controls in terms of technology, process and people.

Target Environment

Once you understand the current environment, define the target controls environment. The controls you select will depend on the context of the current environment, your business direction and your appetite for risk. It does not mean you need all the controls, but you need to be comfortable that the company has level-appropriate controls in place in the event of a major breach.

A Road Map of Initiatives

Change will not happen overnight, so it’s important to develop a road map with a mix of quick wins and long-term initiatives to deliver sustained change. Each initiative should deliver value in steps to keep all stakeholders engaged in their investment. Balance the initiatives with security controls to protect, detect and respond to threats. When you think about your immune system, ensure there will be an effective analytics and orchestration capabilities that can grow with your organization and adapt to emerging cybersecurity threats.

Quick Wins

Organizations often have multiple tools that do the same job, and have a deployment that is incomplete. Rationalizing or completing the deployment can make a huge difference and represent a quick win. In my experience, I have used a systems management infrastructure to collect data for a security process in a matter of months to avoid the cost and time of deploying a new tool that would have taken years to complete.

Deploy a Service, Not a Product

Any security road map needs to deploy a service, not a product, so be sure to include transformation initiatives for processes and organization. How do you ensure that security is in place or determine who is going to respond to an incident at 3 a.m.? Make sure you get the most of your investment by establishing a minimum effective service before moving onto the next set of technologies.

Adapting to a Volatile Landscape

Transformation will take months or even years, depending on the investment required and the state of the environment. By the time you have completed one project, the threats and business priorities may have changed, so build a program that has regular checkpoints to potentially reset your investment.

The speed of implementation will also depend on the value of the data being processed and the urgency to protect the data from loss of confidentiality, integrity or availability. There is no one-size-fits-all solution, since legal and regulatory frameworks may set a minimum baseline of controls that require rapid transformation meet industry standards. That’s why you need a security immune system that can keep your network secure in real time and respond to shifts in the threat landscape.

Download the security immune system brochure

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today