Best practices for an effective cybersecurity strategy

Few organizations would describe cybersecurity as unimportant, yet their cybersecurity strategy often remains overlooked because it needs time and attention to design and implement.

Maintaining cybersecurity involves the ongoing evolution of many complex processes. If your organization lacks a solid strategy, this complexity can quickly escalate out of control.

A strategy that strikes the perfect balance between minimizing complexity and maximizing simplicity will lead to optimal security.

At NTT, we ask prospective clients about their overall strategy and maturity, and what they are looking to accomplish. Our security services have to integrate with what already exists in their environments, with a clear understanding of our duties as a managed service provider (MSP) and the responsibilities of their in-house security team.

A cybersecurity strategy should be integrated across all parts of an organization. It is not an obstacle to overcome: it puts extra steps in place for certain actions, but all leaders and employees must understand that this serves to enable and protect the business. It does not prevent the business from accelerating, but rather it allows the business to accelerate safely.

An education-based approach says to employees: "We're not telling you what you can’t do here. We're going to tell you what you can do, how you can do it safely, why it will help you and what the outcome is of having specific security goals and controls in place that align to your business strategy."

MSPs and in-house teams have to partner with clients to paint these controls in a positive light to make security part of the solution, not a roadblock. 

How to put a security strategy together

A cybersecurity strategy should be centered on the NIST Cybersecurity Framework, compiled by the National Institute of Standards and Technology. The framework sets out the need to identify what you’re protecting, followed by steps to protect, detect, respond and recover.

So, if you're concerned that your organization has fallen behind with cybersecurity, take a step back and look at the NIST framework first. Identify your critical assets, then decide how to protect those assets, and how to respond to and recover from attacks.

Don't neglect response planning! If you're already in a weakened security state, it's more likely that you will have a realized risk event and be required to implement a response quickly.  Speed is critical!

Think about ransomware attacks, which can unfold in less than 30 minutes. If you're unable to respond equally fast, you need to position yourself to recover by quickly containing the activity and having an immutable backup solution in place, with processes to restore your data and systems before significant impact is experienced by the business.

At the highest level, your cybersecurity strategy should address people, processes and technology - in that order:

• In terms of people, working with an MSP will alleviate some in-house skill shortages, but you need to identify the skillsets your internal teams need, and keep training and developing them too.  Whether in-house or within an MSP, people will be your most expensive assets, but they will also be your most valuable and effective assets. Your strategy must focus on how you will grow, mature, and develop them over time. 

• Processes refer to the controls you have in place and how your teams manage them and the security events that will take place, including continuous monitoring and identity management. Then there are matters of basic security hygiene for which every organization is responsible to address within a control framework like ISO/IEC 27001, the international standard for information security. From your process you should also derive operational requirements, and those need to be focused on the way you want or should conduct business, not necessarily the way you may do things today.
  
  
• For technology, base your decisions on operational requirements and derive technology requirements from those operational requirements.  Always drive your technology purchases through well validated requirements or you will likely suffer buyer's remorse and have sub-optimal solutions which may introduce as much or more risk than they eliminate.  Your strategy should not include vendor-specific solutions but rather identify the types of technology you'll need for the outcomes you want.  If you name technology from a specific vendor in your strategy, you might end up confined to that vendor when there could be much better solutions out there.

Measuring your success in cybersecurity

Once you start implementing your strategy, you need to measure your success over time. Metrics should strike a balance between complexity and simplicity; an overzealous approach would involve overdoing security metrics by simply recording everything, which results in too much noise to be useful.  Decide on the story that you need and want to tell, and then work backwards to obtain the data and information needed to be able to tell that story. 

Some metrics are used internally by the security team only. Others are designed specifically for the executive team and relate to broader business outcomes. Then, there are metrics that help MSPs show their clients they are getting good value. All will tell different pieces of the story, with different purposes, to different audiences, but must also paint an overall cohesive and complete picture.

Know your adversary and their intent

Cyber threat intelligence is often used as a buzzword within our industry, but external and internal threat information and targeted metrics must come together to generate cyber threat intelligence that is actionable - which means timely, specific, accurate and relevant. If it’s missing any of those pieces, then it’s not actionable from a strategic, tactical or operational perspective, meaning that it probably can't be effectively used to make decisions committing valuable resources to undertake actions which will impact the organization. NTT curates actionable cyber threat intelligence on an ongoing basis and continually reassess the threat landscape and how it affects the interests and security posture of our clients.

The MITRE ATT&CK framework, a global knowledge base of adversary tactics, techniques, and procedures, helps us design indicators to determine key assets that may have been compromised, by detecting tell-tale signs of particular cyber threats.  This, together with actionable cyber threat intelligence and threat hunting, allows us to effectively partner with clients to protect their environments and to detect and respond to adversarial activity as it occurs.

These indicators of compromise (IOCs) can become numerous and complex, so at NTT, we have platforms to automate assessment by analyzing the data and generating alerts fast enough to prevent an attack from being completed and limit any loss of data or impact thereof.

Rely on an expert for bespoke security assistance

To proactively identify and mitigate security threats, an experienced MSP will focus on your business needs instead of following a one-size-fits-all security approach.

NTT's Managed Detection & Response (MDR), for example, is a lightweight alternative to a full-scope integrated security solution. It meets our clients' unique objectives and needs while providing a basic but highly effective level of security.

Our clients still need in-house security functions, but MDR is a more cost-effective mode of protection than going it alone. It allows us to partner with our clients in a different capacity from a full-scope security offering but still apply all of our expertise.

Read more about NTT's Managed Cloud Security Services.