09 May Why Cybersecurity Programs Must Begin with an Effective Process
In our experiences here at Syncurity, we have identified two pitfalls that could prevent organizations from building a strong cybersecurity program: First, the incorrect conclusion that – if they meet compliance standards year after year by “checking every box correctly” – their systems and devices are adequately protected. Second, the allure of a “shiny new thing”, investing in the “latest, greatest” network defense products without assessing in-depth as to whether the products align with their technology and business needs.
In both instances, these pitfalls hurt companies’ efforts by not beginning with the first, essential step of any cybersecurity program: the development of a comprehensive and cohesive process.
With a process-focused strategy that IT teams can apply to practically all relevant incidents and threat use cases, you establish a consistent foundation of policies and procedures to ensure more unified, immediate and effective responses. Here are four steps that I consider imperative for an effective cybersecurity process:
You can’t protect your data and informational assets if you don’t know what they are, and where they exist within your enterprise. IT must collaborate with business to locate and inventory – and prioritize – everything of value within the network, and how critical it is. In addition, you should come up with realistic use case scenarios about what adversaries may want to target most, and how they’d try to steal it. Without this step, you have no idea what you need to defend, or defend against.
Implementing a decision-making framework
Once you’ve distinguished the most alluring assets for hackers, you can establish guidelines for incident response decision-making. Your junior analysts – the front line of defense – should have enough autonomy to react nimbly and swiftly to certain attacks. But other threats – such as those requiring the shutdown of an entire network or a high-ranking executive’s device – call for a two-step procedure in which the junior team flags the situation and a CISO or other senior-level manager approves of the subsequent, appropriate action.
You now know what to protect, and how to protect it. With this, you want to get a collective sense among team members of how long each step of the incident detection and response process takes. How much time passes in between an incident occurring and detection of it? How long does it take to contain it? How long does it take to remediate it? Once you assemble solid timelines, team members can evaluate their efficiency throughout the process and recommend improvements.
Conducting post mortems
The improvement recommendations serve as a logical segue to our final step, the post mortem. After an incident, examine how your process stood up when a real threat took hold. What practices boosted the effectiveness of responses and which hindered them? Once the team has come to conclusions about these topics, fine tune your incident response strategy to achieve successful remediations sooner.
It’s important to note that you should determine your strategy and supportive steps before you invest heavily in security solutions. You will realize which tools are the best fit only after you aligned your processes with your specific business and technology needs. If you reverse the order, you’ll end up with products that IT will eventually abandon because their relevance to your industry, technology infrastructure, scalability requirements, etc. wasn’t taken into account.
When processes are aligned with your entire environment in a holistic manner, you have a foundation of response-focused procedures that will stand up over time – regardless of which adversaries are out there, what they’re targeting and how they plan to steal it.
JP Bourget is Founder and Chief Security Officer of Syncurity.