Basics for soaring above security challenges

Getting the basic “must-haves” right will not only enable you to handle today’s issues, you’ll establish an approach you can build upon to soar above a future of challenges.

swift bird sky flying
Stefan Berndtsson (CC BY 2.0)

Cybersecurity isn’t easy. Those tasked with leading this space are required to be technical enough to challenge highly-technical engineers, while possessing the business savvy to present complex topics in everyday terms to the board of directors. They are presented with limitless investment options with limited investment budgets, and yet, are asked to optimally minimize risk.

It’s no wonder the average Chief Information Security Officer (CISO) only lasts 17 months.

When meeting a newly-minted CISO, I am often asked, “where should we invest?” As a younger consultant, I was often quick to pitch the necessity for a program strategy engagement where we would carefully analyze and decompose every detail of their information security program and investments.

Over the years, even in the face of rapidly changing threats, I have found the answer to this question remains the same - it is still a critical first step, regardless of an organization’s current cyber security maturity. Unless an information security program is in the upper-echelon of those in the Fortune 100, I suggest more investment around the following areas.

Enhanced visibility

You cannot mitigate risks that you cannot see. The most advanced information security programs I have seen focus on visibility first, often with a dedicated operations leader. This includes the deployment of diverse sensors for log consolidation, anomalous activity monitoring and packet capture throughout the environment to include servers and networking infrastructure.  

As part of an enhanced visibility strategy, strengthen your internal security monitoring team. While it is increasingly difficult to attract and retain in-house security expertise, larger organizations benefit from having dedicated resources on staff. After all, they’ll have daily working knowledge of the enterprise and organizational complexities a third-party will never have.

Make no mistake, an outside party can help support and improve your tactical ability to address sophisticated attack scenarios that often necessitate decisive action to prevent lateral movement or data exfiltration. That said, a tight feedback loop to control implementation following inevitable incidents is an absolute must.

Improved identity and access management

Virtually every breach I have encountered included some abuse, manipulation or deception of identify and access management controls. Whether the attacker stole credentials through social engineering or escalated privileges using a popular rootkit, the lack of strong identity and access management controls was often identified during the incident postmortem as a critical failure.

Basic anomaly detection around credential use and the deployment of multi-factor technologies provides tremendous risk reduction for fairly minimal cost. More complex capabilities, such as adaptive multi-factor controls that change authentication requirements based on different risk scenarios, should be on every organization’s security roadmaps.

At a minimum, focus on privilege access management. If you can’t protect everyday user credentials, start with the critical users within the environment. This includes corporate executives (and their support staff with privileged access), information technology administrators and key employees with access to “crown jewel” data.

World-class fundamentals

Be world-class in your fundamentals. Stop investing in cool projects until you get the basics right. This includes asset management, configuration and patch management, network segmentation, disaster recovery, as well as business continuity. A poor foundation undercuts overall security posture and makes more sophisticated cybersecurity initiatives and tools less effective.

Your fundamentals strategy should rely of two key tenants:

  • Repeatability through automation
  • Rigorous control validation

With the focus on fundamentals, commiserate emphasis should be placed on validating that hygiene. Manual testing should be avoided, instead, utilize automation whenever possible. Controlled validation automation—and where it comes up short or fails—should be a part of every security incident remediation. From this, you’ll be able to build and realize an approach that will not only deliver greater security, it will do so in the most cost-effective way possible.

Soaring above the challenges

Without question, every information security program is different and investment decisions require careful analysis. That said, these areas – visibility, identity, fundamentals – I have found to be universal. Going from good to great in these disciplines will reduce risk and enable investment in more sophisticated mitigation approaches.

Yes, CISOs and the companies they represent face great security concerns today, but take heart, the sky is not falling. Getting the basic “must-haves” right will not only enable you to handle today’s issues, you’ll establish an approach you can build upon to soar above a future of challenges.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.