For years I’ve been helping organisations get the best out of their people, processes and technologies. This has also enabled me to learn and evolve on both professional and personal level.
In the last few years, I’ve been to countless meetings, seminars, open houses and security summits where a large number of the businesses and IT leaders from various organisations expressed similar concerns regarding the security posture of their organisation. Most of them have a different/ random approach to improve their security posture which is fine when you don’t have dedicated security staff. At least something is better than nothing!
This article is aimed at both who wear multiple hats in their IT department including being responsible for Cybersecurity and someone from a technical cybersecurity background working in a more leadership role.
During such gatherings, I was mostly asked this fundamental question-
” How to determine a starting point when talking about improving the security posture? In other words, where to start?”
Those conversations prompted me to present in one such seminar a pragmatic approach based on my real life experiences in the trenches. Here I’m sharing my high-level strategy which I believe would benefit organisations that want to improve their security posture but don’t have the budget to hire a CISO or dedicated security staff or for similar reasons.
Before starting with the main topic, I want to make one point very clear that the success of your security programme heavily depends on one thing and that is top-management buy-in. I can’t stress enough how important is to have full support and governance from the top.
As security professionals, our job is to act as evangelists to transform the mentality and culture of our organisation. As leaders sometimes, we have to use different tactics in different situations to convince the audience or our organisation/business that Security is a business enabler, not a blocker. But that itself can be a tough job!
Now coming back to our main topic, where to start? Once you get the green light from top management, it’s time to create a high-level strategy and find the right approach to start the programme as there is no one fit for all. There are different frameworks available which can be used, e.g. COBIT, SABSA, NIST. However, I use these frameworks as a guide to follow the industry best practices and use my experiences to create my strategy on how to kick off the programme. In my opinion, we should treat this initially as a project. Once you achieve the objectives set out in the project, this should become a part of the continuous improvement process. In Cybersecurity, there’s no such thing as a “perfect security posture”. As technologies change quite rapidly so do the nature of attacks. Its a continuous improvement process!
There are two phases in assessment of overall security of the environment:
Phase 1: Understand the organisational goals and other contexts.
In this phase, you will be spending a lot of your time to interview (meeting) people of your organisation, reviewing processes and technologies. E.g. stakeholders, workforce, regulations, culture, partners, customers, competitors, organisation’s objectives and risk appetite. The aim is to gather as much information as you possibly can, so you can analyse the data and get a clear understanding of who and what you are dealing with. Clarity breeds mastery!
Phase 2: Conduct security assessment (Health Check) on your environment
- Asset Characterisation – rank your assets based on their business value and impact. Consider the CIA triangle security model while assessing the value and the impact. It’s imperative to know what you are trying to protect, i.e. your high-value assets. They can be tangible or non-tangible. BTW, this includes people as well.
- Threat Assessment– assess the likelihood of attack. Generally, this is a scenario-based collaboration exercise between IT and the asset owner to go through what-if scenarios.
- Vulnerability Assessment – rank potential vulnerabilities against all critical/ high-value assets. The main reason for conducting a VA is to identify known security exposures in the environment and fix or put a control so that they won’t get exploited by an attacker.
- Risk Evaluation – determine the level of risk to all critical assets in terms of impact x likelihood = Risk, then prioritising the risk based on the degree.
- Risk Treatment – is the process of identifying the gaps between the current and the desirable security of the environment and advise on the controls or countermeasures to mitigate, avoid, transfer or accept the risk. This exercise generally happens in Security Committee meetings as key decision makers will need to be present in this meeting to make a swift decision on organisational risks.
Also, I was asked, ” What area would you address first?”
Again, answer to this question is it really depends on the outcome of the security health check/ assessment report and mapping the risks to the organisational goals. Based on the risk mapping, create a strategy to manage organisational risks as per their ranking in the report and get approval from the top management or the security committee. Some of the risks can be addressed simultaneously if they don’t have any dependencies or budgetary restraints.
Few examples of Organisational Risks:
Based on the above example, let’s calculate how we determined the internal network assessment (2nd row in the table above) as Critical risk. There are two methods to analyse the risk – Quantitative and Qualitative. Here we are using the qualitative approach which is quick, simple but subjective as compared to quantitative which is more accurate but time consuming.
As per the security assessment:
Assets Characterisation – Internal network security (Critical)
Threat assessment – High (Likelihood)
Vulnerability Assessment – High
Risk Evaluation – Impact x Likelihood = Risk (based on the above table – Critical x High = Critical)
In the above scenario, the correct treatment would be to mitigate the risk by updating the firewalls, lockdown VPN’s to a specific port, source and destination addresses, segregating the network (VLANs) and allow only authorised traffic between the VLANs as baseline defence.However, there may be case where you have to chose other risk treatment options. Most of the times, Security professionals spend their time to mitigate the risk.
This is a very simple example of assessing the current state of an organisation’s security.
As we all know there is no perfect state in security, it’s a continuous improvement process, so the regular assessments are imperative. This is a lot of work, and you can use different approaches to achieve the end goal. You can hire a 3rd party to do these assessments or do it internally if you have enough resources and expertise. I generally use a hybrid approach which is using 3rd party expertise when and where required to complement the in-house security team.
Also, it is essential to “speak in business language” when communicating risks to the business leaders instead of getting into the technical nitty gritty of the risks. That way you have more chances to win the confidence and support from your senior management.
Thank you for reading and happy learning!
Don’t forget to share your feedback in the comments section below.
Nicely put and well thought of..
Thanks Vikas…