Building, maintaining, or transforming a cybersecurity program is hard work. But all situations need to begin with a plan. A plan that addresses the strengths, weaknesses, opportunities as well as threats that will transform into the roadmap guiding you in developing a successful cybersecurity program.
To help you begin, here are the elements of a cybersecurity program that in my experience are essential to long term, measurable success.
2 Essential Elements of an Effective Cybersecurity Program
1: Annual Standards-Based Assessments
Of the many challenges security professionals face, the ability to explain what they do and how well they do it is one of the most persistent. It need not be this way. There are several notable standards or frameworks (e.g., NIST, SANS 20 Critical Security Controls, etc.) readily available for you to baseline your security program, explain your success, and create a vehicle for communicating strategically with the executives in your organization. Before you even select a standard it is important to understand and believe in the need for conducting an assessment on an annual basis.
Think about the departments (e.g., Finance, Business Development, etc.) within your business, do they have an annual plan with objectives that are tracked and updated throughout the year? Of course they do, otherwise, they would be mired in day-to-day tactical issues – a Groundhog Day scenario – that never affords the opportunity to grow and mature. The departments at your company have a business plan with the pipeline, revenue, profitability as well as other targets established early in the year and tracked throughout.
The functions supporting those departments have their own unique specific plans to support the business in achieving corporate objectives and they measure using frameworks and principles that are specific to their unique function. Take finance for example. Finance typically owns the responsibility to forecast effectively and achieve compliance with regulatory requirements like Sarbanes Oxley and therefore must plan accordingly. Those plans are grounded in principles and standards, such as Generally Accepted Accounting Principles (GAAP), so that non-finance observers and analysts have a minimum level of consistency and confidence that finance is operating within the guideline of widely accepted standards. Security should be doing the same.
If you want a comprehensive standard that will map to International Organization for Standardization standards and most federal regulatory requirements adopt NIST Special Publication 800-53. Don’t be misled by its title, “Security and Privacy Controls for Federal Information Systems and Organizations,” and think it doesn’t apply to commercial infrastructure. The NIST controls are customizable and meant to be implemented as part of an organization-wide information security program and are as relevant to commercial infrastructure as they are to federal entities.
If you are a federal contractor you should use the government required framework, NIST Special Publication 800-171, as your standard to measure your compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. Details on that mandate and December 2017 deadline for compliance are here.
Is NIST too overwhelming or doesn’t seem to be the right fit for your organization? Use the Center for Internet Security (CIS), which presents the CIS Controls for Effective Cyber Defense as your standard to measure yourself against. It is an excellent set of specific and actionable controls that can facilitate a way to explain and continuously measure and improve your security program.
Now that you have selected a standard and either conducted a self-assessment or selected a third party to lead the effort, it is time to create a roadmap that articulates the cost, schedule, and performance of the proposed improvements.
2: Roadmap Your Journey
Your security program has been assessed against an accepted standard, you will now need a vehicle for telling your story to the executives who fund improvements to the program and interested in the performance of their investment. The vehicle is your cybersecurity roadmap and it will serve many purposes.
In this case, a roadmap is a governing document that articulates at what point previously approved cybersecurity people, processes, and technologies will become operational. This roadmap becomes an actionable timeline. There is no magic timeline, yours could be 12 months, 18 months or up to 3 years – though anything past 3 years tends to be more aspirational and less practical. If you have a looming companywide compliance mandate like the previously mentioned DFARS, your roadmap should include all of the milestones that lead up to the compliance deadline.
After you complete your assessment it is likely that you will have more work than resources and choosing what to do first can be difficult. Don’t fall into the trap of doing a little bit of everything or you will likely end the year disappointed with little to nothing accomplished. A helpful hint to avoid that scenario is to prioritize your projects by level of importance.
A helpful hint when prioritizing the level of importance of your projects:
First Priority: Projects that enable regulatory compliance – The business is mandated to achieve compliance with these regulations by a specific date and to a defined degree of precision. These things have to be done for the business to function legally and without friction so these projects have priority.
Second Priority: Projects that enable operation security – These projects are often an endless wishlist that never makes it off of the whiteboard after a brainstorming session. To prevent this, prioritize operational improvements against a recommended set of actions like the CIS Controls for Effective Cyber Defense. View every operational improvement effort through the filter of controls that are most likely to effectively defend your business. If there are controls that can enable both operational security and compliance in parallel push those projects to the top of your list.
Your roadmap should include specific milestones and timetables for implementation of controls and project completion. Ideally, you will be able to capture everything on a single chart so that you have a visual reference to insert into every relevant PowerPoint slide deck to drive home your priorities.
The visual roadmap representation will serve two purposes:
First: The visual roadmap provides you a way to explain the value your team is delivering for the company.
Second: The visual roadmap provides you a way to push back against competing initiatives or priorities. It is a way to say “here is how our resources are committed for the next 12 months. In order to add your requirement/project to the roadmap I need to cancel a planned project or add resources.” The answer might be “figure it out” but at least you have a tool to facilitate a fact-based conversation on what is and what is not possible given current plans and resource allocation.
Creating, maturing, and maintaining a cybersecurity program is hard work under even the most forgiving circumstances. My experience has been that standards-based assessment coupled with a roadmap to plan and prioritize projects centered on resource availability greatly increase your chances for success.
How Can CyberSheath Help Your Organization?
CyberSheath recommends beginning with an assessment to measure your maturity against a standard Cybersecurity Framework. An assessment will identify your organization’s strengths and weaknesses as well as opportunities and threats within your current program. The assessment results will provide the necessary information to build your roadmap to a compliant and secure environment.