We recently spent some time with a client who is at the tail end of response and recovery from a data breach. Although the past few months have taken their toll on the security team, there is finally a light at the end of the tunnel. However, that light is going to dim quickly as the task of preparing for the next breach approaches like an incoming train.
From Recovery to the Rebuilding Phase
In many ways, the recovery from one data breach begins the process to face the next one. As we began discussing the steps involved in building a new security program and architectures, our client realized they need to build a new cyber security program from the ground up.
Unfortunately, it’s all too common for security to become a bigger priority after a major incident occurs rather than before. Despite having the support and resources for developing and implementing a cyber security strategy within an existing and complex organization, there were some clear concerns about taking on this initiative.
Naturally, the question became, “Where do we start?”
The answer isn’t always straight forward, and it often depends largely on the role of the person or persons asking the question. More technical personnel will look for the best device to fix a problem, while management will try to determine which policy should be implemented to prevent another incident from happening again. While there are benefits to both aspects, they are only part of the equation of what’s necessary for building an effective cyber security program.
Characteristics of an Effective Security Program
An effective, holistic cyber security program is inherently a risk management program. Effective cyber security programs identify, quantify, and mitigate risk.
At a fundamental level, building a program involves:
- Choosing a cyber security framework
- Understanding the cyber risks you want to mitigate and to what level
- Determining your current level of cyber risk mitigation
- Plotting a roadmap to get from where you are to where you want to be
- Implementing the roadmap
- Testing your ability to deal with cyber risks given the newly-implemented roadmap
To launch a cyber security program, you must address two tasks with relatively equal importance: choosing a cyber security framework, and appointing a person to oversee security for the company.
Sounds simple, right? But these tasks go hand-in-hand. Fortunately, there are multiple options available to achieve both needs.
Choosing the Right Person to Oversee Information Security
The CISO is critical to guide an information security program. If you can’t afford a full-time CISO, look for a consulting firm you can keep on retainer to get support when you need it and help determine necessary actions. It’s not an overnight process to find a good CISO – they’re expensive, and they’re in demand. So advisory services are a great option if you’re trying to get a program off the ground relatively quickly. Either way, turn to a person or team with experience. This approach will enable you to build the program faster and more thoroughly instead of struggling while you learn on the fly.
Setting Up and Executing a Cyber Security Framework
The cyber security framework helps identify gaps for a cyber security program while providing clear structure and attainable goals. The framework is also the driving force in identifying and prioritizing appropriate controls and their priority which is why it’s an important strategic starting point.
Frameworks are useful in understanding what goals are realistic, and as a check for what you’ve missed, but shouldn’t be viewed as something to implement in its entirety – most organizations would be overwhelmed in short order because of the enormity of the task.
Selection of a framework depends on how comprehensive you need to be, and frankly, the resources you can put into the program. Traditional frameworks like ITIL and COBIT can be comprehensive, but can also be time-consuming and expensive to implement. Non-traditional frameworks like the NIST Cybersecurity Framework, CIS Top 20, and OWASP shouldn’t be considered as compliance instruments (you can’t be compliant with the NIST Cybersecurity Framework), but they are more focused than a traditional framework, and can provide smaller organizations with a starting point for doing something (anything!). Given the maze of frameworks, this is another area where an experienced partner can help you sort through the options to determine your best approach.
Understanding where you are and where you need to be from a cyber risk mitigation standpoint is an intimate process of understanding your organization. Technical and maturity assessments can give you an understanding of where you are. Developing your cyber risk mitigation goals depend on what’s most important and requires an understanding of your organizational crown jewels. For example, e-commerce server availability or payment card data might be required. You can then chart appropriate investments in security to protect those crown jewels and develop an implementation plan.
Conclusion and Next Steps
Following these steps, you’ll be ready for the next breach by analyzing how security “breaks in” your organization. Preparation may not be the most popular subject, but it is essential. Research shows the cost of an incident has the potential to increase the longer a breach goes undiscovered or uncontrolled. According to the 2016 Ponemon Institute Data Breach Study, threats stay on a network an average of 229 days before being contained. The better prepared you are, the less time it takes to respond and recover, and the lower the negative financial impact. Conduct tabletop exercises, plan walkthroughs, or even spot checks of people, processes, and technology to determine where things work and where they don’t. At the very least, you’ll gain confidence in your organizational ability to respond.
Finally, don’t be afraid to ask and fight for help. Everyone is asked to do more with less (time, money, and people). Cyber security isn’t a one-person show. It takes a team, investment, and expert knowledge to be effective. A breach usually provides the justification to increase the investment in cyber security, but that’s a reactive solution to the problem. Use the tough lessons learned others have provided and fight to get the support you need.
View our on-demand webinar, “Top 10 Cyber Incident Pain Points: Are You Prepared?” to learn how you can strengthen your response capabilities in the event of a data breach.