Security ProgramThe Who, What, When, Where, Why and How of Cyber Security Programs
Why Implement a Security Program?
Organizations of all sizes and across every industry implement cybersecurity programs to protect the assets that, if compromised, could pose a detriment to a company’s customers, reputation, and future. Theft of valuable corporate data is a lucrative business for cybercriminals. Although cybercrime is nothing new, hackers are constantly getting smarter, more creative, and better at breaching an ever-increasing amount of valuable corporate data. To minimize the risk of these threats, more organizations are increasing their cybersecurity programs to protect the confidentiality, integrity, and availability of their digital assets. The primary motives for why a company builds a cybersecurity program will vary from business to business, but they often align with drivers from the CIA cybersecurity triad including:
- Confidentiality: business requirements to protect the confidentiality of sensitive online data (g., proprietary data, personally identifiable information or PII, confidential data, financial records, etc.)
- Integrity: business requirements to protect the integrity of certain digital records (e.g., many industry regulations require executives to ensure the integrity of their corporate financial records)
- Availability: business requirements to ensure that systems and data are consistently available (e.g., minimize the cost of downtime, ensure productivity of staff, maintain customer loyalty, etc.)
Many businesses are required to maintain a cybersecurity program because of regulatory mandates, so any company may have the burden of meeting one or more regulations, including:
- Industry Cybersecurity Regulations: cybersecurity guidelines that a business must meet to transact business within a specific industry (e.g., PCI-DSS in the retail industry)
- Government Cybersecurity Regulations: cybersecurity guidelines that a business must meet as mandated by a government agency to protect corporate data (e.g., SOX or Sarbanes Oxley for US public companies, FISMA for US government agencies, HIPAA for healthcare providers, etc.)
- Government Privacy Regulations: data protection guidelines that a business must meet to protect the privacy of consumer data (e.g., GDPR or General Data Protection Regulation for businesses that transact with residents of the European Union)
The examples above represent just a small fraction of the vast number of cybersecurity-related regulations that can impact businesses. A common objective across most every regulation is to reduce the risk of a data breach through a well-orchestrated and effective cybersecurity program.
Who Needs to Be Involved?
Cybersecurity professionals recommend that everyone across a business play a role in protecting corporate data. These requirements include corporate boards and executives defining cybersecurity strategy and priorities, management teams achieving corporate cybersecurity objectives, and staff implementing and following defined cybersecurity policies and procedures. Security professionals have also recommended that cybersecurity programs utilize both inside and outside auditors. Auditing ensures that the business periodically reviews the effectiveness of its security program. Finally, cybersecurity programs should extend beyond the corporate IT boundary to include cybersecurity oversight for any external company (i.e., third-party partner ecosystem) or service provider (e.g., MSP, SaaS/IaaS/PaaS cloud providers, etc.) that processes sensitive corporate data.
What Systems Need Protection?
Determining what systems need protection is an essential component of any cybersecurity program. Organizations must continuously evaluate the potential risk of system compromise across all networked systems. Not all systems and data are created equal, so it is imperative to introduce a well-defined risk assessment process that aligns cyber protection priorities with the business value of the data that is processed by your company’s systems. In many cases, organizations are forced to protect specific systems because of contractual obligations or regulatory mandates. For example, PCI-DSS requires a broad range of cybersecurity controls for “all entities that store, process or transmit cardholder data.” Similarly, HIPAA requires “appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).”
This kind of effort can seem daunting; it requires an accurate accounting of every system, the applications that reside on each system, the information maintained or processed on each system, and the risk of information compromise. Organizations must assess the potential expenses they would incur in the event of a harmful incident, including:
- Physical data loss – for example, the expense a business would incur to recover from data corruption or system failure.
- Unauthorized access – for example, the expense a business would incur as a result of data theft due to unencrypted data, insufficient access controls, etc.
Organizations must have a strong, well-executed risk assessment process for all networked systems so that prioritized security measures can be defined and implemented effectively.
When Should a Security Program Be Implemented?
Organizations must determine for themselves when they should implement a cybersecurity program. Any organization with contractual or legal cybersecurity obligations should already have a program in place. The size and type of a company have a strong influence on the breadth and depth of the cybersecurity program it should implement. The risk from data compromise also has a strong influence on the need for a cybersecurity program. The worst thing any company, whether large or small, can do is ignore their cyber risks. Smaller companies that may have a smaller risk should still develop and implement an appropriate cybersecurity program. In many cases, smaller companies can have the same regulatory or contractual burden to have a security program as larger companies. In fact, many smaller companies that have contracts with larger companies are now obligated to have a proper cybersecurity program in place.
Organizations of all sizes are beginning to require their service providers to certify their security program through the SOC 2 assurance program formed under the AICPA Trust Services Principles and Criteria. Regardless of company size, organizations are beginning to recognize that the cybersecurity concerns of customers and partners can become a barrier to sales. Organizations must prevent this and ask the fundamental question of “what is the potential impact of a breach to our system or the systems of our service providers?” For many companies, the impact of a breach can be catastrophic and include significant fines, operational downtime, recovery expenses, and more, so it is absolutely crucial that every business consider the gravity of such an event before building their security program.
Where Should Cybersecurity Be Prioritized?
Cybersecurity risk should be prioritized holistically and in conjunction with a broader enterprise risk management (ERM) program. Program priorities will vary from company to company based on individual corporate requirements. For example, risk priorities for a manufacturing company will be considerably different than those of a retail business. Organizations that are serious about reducing enterprise risk should implement a risk management framework, like COSO or NIST SP 800-37, to manage the process of uncovering, prioritizing, and addressing risk. Use of a risk management framework provides a disciplined risk management process for each system including:
- Asset Categorization – determination of the value of data on the system and risk implications if compromised.
- Control Selection – determination of the controls to implement on the system by the assessment of risk.
- Control Implementation – implementation of defined security controls to mitigate potential risks to the system.
- Control Assessment – review of implemented controls to ensure they are meeting desired objectives.
- Authorization – ensuring the proper authorization of security controls on systems.
- Control Monitoring – monitoring to provide assessment and reporting on the security and privacy posture of the system on an ongoing basis.
How to Achieve Security Program?
Many information security professionals agree that an effective information security program must be built using a broad range of people, processes, and technology. This concept is a foundation of ISO 27001: an information security standardized framework adopted by many organizations. Further industry guidance dictates that security programs should be built using multiple lines of cyber defense across the entire organization, as recommended by organizations like ISACA. ISACA recommends building the following three lines of cyber defense:
- Line 1: Risk Identification and Assessment – integrated throughout a business’s operations. Requires business executives and management setting strategic cyber policy.
- Line 2: Risk Management – implementation of risk reduction policies and procedures, including appropriate technologies. Requires department implementation of security programs to achieve defined risk management objectives.
- Line 3: Risk Monitoring – continuous evaluation of program efficacy using appropriate monitoring technology as well as inside and outside auditors. Effective audits require an independent assessment of the efficacy of the cybersecurity program.
Over the last few years, cyber insurance has emerged as a recommended last line of defense for some businesses.
These lines of defense must meet the industry or government regulatory requirements that businesses must adhere to.
What People Should Be Involved?
Everyone in an organization is a stakeholder in cybersecurity. Also, an effective cybersecurity program requires the use of a broad range of knowledgeable cybersecurity professionals. Unfortunately, there is a worldwide shortage of such professionals. Many organizations utilize outsourced cybersecurity and compliance services to address this skills gap. A snapshot of the people that should or may be involved in a cybersecurity program include:
- Board of Directors & Executives – Set overall cybersecurity strategy and policy. In many industries, executives have the direct responsibility of ensuring that appropriate cybersecurity programs are in place and working effectively. An effective security program must start from the top down, including corporate boards and executives.
- Virtual CISO (vCISO)/CISO as a Service – A service offering strategic and operational leadership on cybersecurity to companies where a full-time CISO does not make sense.
- Risk Managers – work to manage programs to reduce and mitigate specific risks to the business. Can include enterprise risk managers, cybersecurity risk managers, and partner risk managers among others.
- In-house management & staff – work to achieve cybersecurity objectives set by corporate executives and risk management boards. Can span multiple functional areas including legal, operations, and technical staff among others.
- Consultants – trained professionals that help fill internal staffing gaps.
- Managed Security Service Providers (MSSP) – deliver a service that is related to the security program. An example MSSP service is the management of firewalls by a third-party.
- Outsourced Services – delivers an outsourced service that is related to the security program. Network and security monitoring services by a third-party are examples of outsourced services.
- Auditors – deliver an independent periodic assessment of the efficacy of a security program. This typically includes both internal and external auditors. Can also include compliance-specific auditors.
- Insurance Companies – can provide an insurance safety net to certain classes of business.
What process should a business implement?
Every organization must determine what cybersecurity processes are appropriate for its business. In some industries, the processes that an organization must implement are guided by industry or federal regulation. Multiple process options are available to organizations from public cybersecurity resources including:
- Cybersecurity Best Practice or Auditing Guidelines – examples include:
- Control Objectives for Information and Related Technology (CobiT) – a security best practice framework developed by ISACA.
- Center for Internet Security Critical Security Controls for Effective Cyber Defense – a cybersecurity technical control framework.
- NIST Special Publication 800-53 – a set of security controls required by US federal agencies.
- ISO 27001 – an international information security standard.
- Cybersecurity Regulations – examples include:
- PCI-DSS for businesses that engage in credit card transactions.
- SOX or Sarbanes Oxley for US public companies.
- FISMA for US government agencies.
- HIPAA for healthcare providers.
- GDPR or General Data Protection Regulation for businesses that transact with residents of the European Union.
- NERC CIP for a business that provides critical infrastructure.
Organizations that are serious about cybersecurity will have written policies that can be continually reviewed and improved as the cybersecurity needs of the organization change over time.
What technology should a security program implement?
An organization must determine the security controls that are most appropriate for its business and in alignment with any specific regulatory burdens. Although the universe of potential security controls is significant, guidance from the Center for Internet Security Critical Security Controls for Effective Cyber Defense provides a set of recommended and prioritized cybersecurity controls. CIS recommends that any company that is concerned about cybersecurity should at least address their top six control areas including the:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management, including penetration testing
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and servers
- Maintenance, Monitoring, and Analysis of Audit Logs
Every security-conscious company should not overlook the importance of security awareness training across the organization. Research from Price Waterhouse Cooper has shown that companies with cybersecurity programs have lower losses from a breach than companies that do not have a training program. The types of training programs an organization should consider includes:
- Security Awareness Training – ensures staff understand a broad range of cybersecurity concerns to reduce the risk of a cyber incident.
- Developer Security Training – ensures programming practices incorporate cybersecurity best practices.
- Incident Response Training – ensures the business is prepared to respond to an incident when it occurs.
Finally, every security program should consider specific testing programs to minimize risk wherever and whenever possible, including:
- Vulnerability Testing – ensures the business has addressed vulnerabilities to cybercrime.
- Penetration Testing – ensures the business hardens system configurations.
- Code Review – ensures the business adheres to well-accepted security programming practices.
- Compliance Review – ensures the business meets its compliance requirements.
- Incident Response Testing – ensures the business has appropriate response measures when a breach occurs.
Any business that has concerns over potential risks to the confidentiality, integrity, and availability of its data should implement a cybersecurity program. There is a lot of industry and regulatory guidance regarding what businesses must include in a security program. Industry professionals agree that an effective cybersecurity program requires an organization’s executive team to set program priorities and objectives that give everyone in the business a defined role. There are many important considerations when building a security program, including determining what systems should be protected by the security program, what internal and external resources engage in protecting systems, what technical controls should be in place, and how to audit the program in order to best optimize its effectiveness. Organizations should employ highly qualified cybersecurity professionals whether they are on staff or provided by a third-party. Finally, organizations should manage cyber risks as part of a broader enterprise risk management objective in such a way that all cyber business requirements are met, including internal governance and external regulatory compliance.
Truvantis Provides Expert Assistance Start To Finish
Each Truvantis Security program is specific to a customer’s needs and can encompass full responsibility for either an entire Information Security program or just one part of it. Once the scope and service level has been agreed, Truvantis will deliver on these responsibilities for a fixed and predictable monthly fee. The scope of the service can be adjusted at any time as your needs evolve.