Episode 5: Cybersecurity Where You Are
The Tools of Cyber Defense…an Ongoing, Repetitive Process
Part 2 of a 2-part series
In this week’s Cybersecurity Where You Are podcast, hosts Tony Sager and Sean Atkinson continue their conversation on cyber defense as a risk-based process. They discuss the actions and resources that help build and implement “defensive machinery” that support an organization’s current cyber defense plan and help it mature.
A CISO’s First 90 days
The first step a CISO takes when starting with a new organization is to gather information and assess where they are currently in their cyber defense program. Gaining a knowledge of what current products are being used, the frameworks and regulations needed for compliance, interviewing vendors, and evaluating data management take time – but is worth it. By gathering this information first, a CISO can evaluate risk and provide holistic recommendations for improvement.
The Importance of a Strong Foundation
An evaluation of a current security posture takes less time when best practices, such as CIS Controls, were referenced at time of implementation. When customizing a cyber defense program, using consensus-developed secure configuration guidelines, such as the CIS Benchmarks, builds a foundation of confidence in the current structure because those recommendations were vetted by volunteers and experts for effectiveness.
Know Your Lineage
It is important to document and maintain the original language back to the source prior to customization so that it can be managed downstream. This prevents an auditor or decision maker from starting from scratch.
If the foundation was from a known and secure source, the logic behind the tailoring to those foundations can be better explained. Due to organizations needing customization to meet best practices and regulatory compliance, a lineage answers the question, “Where did we start, where did we go?”.
Mapping to Regulatory Frameworks
The need to understand how to mature on a consistent basis is critical. You start with the foundational framework and then map to everything else. For example, utilizing the CIS Controls to build your cyber defense program based on best practices, then using those same CIS Controls to map to regulatory frameworks such as PCI, HIPAA, FEDRAMP and so on.
Once the mapping is constructed, the next step is to manage the prioritization and implementation of those frameworks on a regular basis to maintain compliance.
Tools: From Spreadsheets to CIS CSAT
Most organizations ask themselves, “What can we do with what we already have?”. While this could be a cost-effective and efficient way to approach a cyber defense plan, at times the existing software may not be enough to support maturity.
The use of spreadsheets is common to manage the testing and remediation of a cyber defense program. It may also be the one source of information that tracks both the IT operational tools and the cyber security tools. Tracking of progress, assignments, designations, due dates could work within a spreadsheet but could benefit from a more sophisticated piece of technology.
CIS was built on creating reliable resources for the cyber community to create a more secure world overall. The CIS Controls Self Assessment Tool (CIS CSAT) was developed to, enable security teams to track and prioritize their implementation of the CIS Controls and sub-controls (now known as Safeguards). Instead of a spreadsheet, an organization can now determine which CIS Controls are applicable to your organization, and if they’ve been assigned, implemented, automated, documented, and reported. It also helps you align with other security frameworks.
Whether you are using a spreadsheet or a tool like CIS CSAT, it is a means to mature your cyber defense machinery through continued assessment and remediation.
Share with the Group
Staying up to date on various cyberattacks and the latest defenses can be daunting. It is important to stay informed, evaluate what issues may affect your particular program, evaluate its risk, and remediate where needed.
Training your internal staff about new cyberattacks and strategies protects them as well as supports the integrity of your organization’s cyber defenses. One way is to host trainings and show examples of cyberattack strategies like phishing. Then test their knowledge with a fake phishing email. Measure the interaction with the emails of those who took the training versus those who did not. From there, you can evaluate what additional training is needed and how at-risk your organization is to outside attacks.
Cyber security is not a destination, it is a journey that requires collaboration and communication. When one benefits and shares, all can become stronger.