4 steps to creating a winning cybersecurity strategy in 2018

For mid-sized organizations and enterprises looking to focus on cybersecurity issues in 2018, here is a proven playbook to help creating a winning strategy.

teamwork - collaboration
Thinkstock

Most organizations are in the phase of rapidly gearing up to contain and manage cybersecurity threats. The question is how and where to begin?

In many ways the US Federal Government went through this same difficult phase in 2015 due to the OPM data breach. There are some worthwhile lessons to be learned­­. One of the key elements of the Federal response was to set cybersecurity at the forefront of a chief executive’s responsibility with clear assignment of accountability. The second element was to provide funding and investments to upgrade the cybersecurity posture.

These upgrades included concerted programs such as the Cybersecurity sprints and the Continuous Diagnostics and Mitigation (CDM) Program amongst others. For mid-sized organizations and enterprises looking to focus on cybersecurity issues in 2018, here is a proven playbook to help creating a winning strategy.

1. Welcome the CISO to the C-suite!

It is said that cybersecurity vulnerabilities don’t start in IT systems but originate from executive leadership’s attitudes and priorities. Cybersecurity and compliance are serious business issues and, given the stakes, it is critical to have a Chief Information Security Officer (CISO). The CISO must be empowered with adequate authority, funding and clear mission responsibilities keeping systems and data safe proactively.

Most new regulations like GDPR, NIST SP 800-171 standards require specialized knowledge and deep technical expertise. A subject matter expert with experience in security, privacy and compliance issues is a critical part of the C-suite. Executive education courses like the CISO Certificate at the Heinz School of Executive Education in Carnegie Mellon recognizes the need to provide a holistic program to help CISO’s be effective digital leaders.

“In our CISO executive education program, we have been working with students on changing the narrative associated with cyber security from a pure technical/process focus to business justification and risk assessment.  As the attack surface becomes larger due to increasing level of digitization, propensity to collect and store data and sophistication of different types of exploits, the role of security becomes increasingly strategic,” said Ari Lightman, Director, CISO Certificate Program, Carnegie Mellon University.

The CISO is not an overhead because their presence helps instill confidence and delivers positive ROI as it helps close deals by accelerating the due diligence process with buyers. “We have successfully closed contracts with large Fortune 1000 customers due to our strong cybersecurity posture and investments that has become a competitive advantage for us,” said Dan Allison, the Chief Technology Officer (CTO) at Indiggo, a leadership and executive performance management SaaS platform hosted on AWS. Dan’s organization has invested in an independent cybersecurity operations and management capability to satisfy their customers’ due diligence process.

2. Select and align with a cybersecurity and compliance standard 

Many organizations struggle with where to begin and focus their cybersecurity efforts. How does one go about establishing the right policies, procedures and workflows to drive a strong cybersecurity posture?

Luckily there are many standards such as HIPAA, ISO 27001, and the NIST Cybersecurity Framework that incorporate years of learning and help organizations easily adopt well defined best practices. One of the standards that stand out is the NIST Special Publication 800-53 “Security and Privacy Controls for Information Systems and Organizations.”

US Government agencies have used it for many years as part of Federal Information Security Management Act, FISMA. 800-53 controls are very specific and are mature covering sunrise topics like cloud computing and digital privacy. NIST SP 800-53 also offers lighter weight variations such as NIST SP 800-171 for Defense, Healthcare and Educational institutions. Selecting and implementing a mature and well known security standard helps contain business risk. Further using a proven standard helps reduces the learning curve and leverages best practices without the need to reinvent the wheel.

3. Maximize cybersecurity ROI by using a threat model for effective response and mitigation  

Most cybersecurity and compliance standards like NIST SP 800-53, HIPAA, GDPR and others provide a comprehensive set of security families and controls that must be implemented.

However, it is important to tailor and customize the security architecture and cybersecurity risk management process based on the specific threats and vulnerability the organization faces. While there are many such frameworks, an interesting and prescriptive one has been published by the Office of Director of National Intelligence (ODNI). The ODNI Cyber Threat Framework (CTF) was developed by the US Government to enable consistent categorization and characterization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.

The National Security Agency (NSA) developed and published a technical extension of the Director of National Intelligence Cyber Threat Framework (CTF) to provide specific and actionable steps and activities to develop a robust custom threat model. The CTF model provides 21 discrete areas that organizations need to consider and tailor to their specific environment to develop a common understanding of cybersecurity risk. The latest version of the NIST Cybersecurity Framework has added specific guidelines to make sure that cybersecurity threat modeling is an integral part of the risk management process.

4. Go beyond logging, monitoring and alerting and focus on proactive threat hunting

The security and compliance functions must adopt modern techniques to combat the data deluge and avoid getting overwhelmed by the sheer volume of attacks. The passive approach of logging, monitoring and alerting is rapidly being replaced with a more proactive approach. Security operations, automation, analytics and incident response as an integrated platform is the way to go.

Start researching and incorporating SOAPA and SOAR solutions into the portfolio and go beyond the traditional SIEM and logging/monitoring/alerting paradigm. SOAPA standards for Security Operations Analytics Platform Architecture and has a variant SOAR developed by Gartner which stands for Security Operations, Automation and Response. Given the sheer amount of data being generated and the accelerated release cycles of code, the only way to win is through automated generation of security and compliance artifacts analyzed using an AI engine.

These artifacts and findings are actively analyzed by analysts to deliver a more proactive security posture that goes beyond log analysis, monitoring and alerting. Security must be automated and integrated as part of the core development process and not be a “bolt-on” that slows the entire production process. SecDevOps incorporates of security best practices into the continuous integration/continuous deployment (CI/CD) pipeline.

These discrete activities include static code scanning (SAST) using either open source or commercial tools like Yasca, Checkmarx or similar; dynamic binary scanning (DAST) using solutions like Veracode; vulnerability and penetration scanning using Nessus or similar solutions; and advanced security testing like Fuzzing to detect non-obvious security defects.

Emerging security operations, automation, compliance and response solutions like stackArmor ThreatAlert perform dynamic scans that cover the entire stack including user access, application, data, docker containers, operating system and the AWS cloud. They further provide a platform with the ability to generate and produce compliance reports required by HIPAA, FedRAMP, GDPR and NIST security standards as well as proactive incident response to ensure the confidentiality, integrity and availability of digital assets.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.