Comprehensive planning will help organizations hunker down for the coming ‘cyber storm.’
Increasingly sophisticated cyber threats that exploit economic, social and geopolitical volatility create the perfect conditions for a “gathering cyber storm,” cybersecurity experts warned in January during the World Economic Forum’s annual meeting in Davos, Switzerland. Most agree that organizations must rethink their security strategies in order to weather the storm.
Since the beginning of the computer age, security efforts have focused almost exclusively on prevention. However, it’s become clear that it’s simply not possible to thwart every attack. Instead, organizations must make the philosophical shift to cyber resilience — augmenting traditional preventive measures with tools that allow them to rapidly detect attacks in progress and respond decisively to limit disruptions and damages.
“We need to accept that this is really about cyber resilience,” Sadie Creese, a professor of cybersecurity at the University of Oxford, said at Davos. “There is no such thing as 100 percent security. It's about resilience in the face of insecurity.”
Creating a Blueprint
The first step to achieving cyber resilience is creating an organization-wide security strategy that outlines a comprehensive and repeatable approach for managing cyber risk and reducing vulnerabilities. It will serve as a blueprint for coordinating robust security practices among management, IT staff and line-of-business employees.
Strategic security plans should be documented, providing a high-level overview of potential threats facing the organization along with the tools and processes necessary to identify, remediate and manage risks. In addition to providing an overview of generic threats, vulnerabilities and security controls, the plan should address broader concepts, including regulatory compliance, business continuity and risk management.
Given the rapidly changing state of technologies and threats, a security strategy should be considered a living document that is consistently edited and updated. Most industry analysts recommend a comprehensive revision every three to five years.
Proactive Security
The chief benefit of such a strategy is that it allows organizations to define and prioritize cybersecurity initiatives instead of continually reacting to the latest threat. The “whack-a-mole” approach of adding new security products for every emerging threat is not sustainable — security analysts identify more than half a million new malicious programs every day. Continually adding new security tools only results in overly complex and effectively unmanageable security environments.
A regularly revised security strategy will guide organizations to make incremental enhancements to their existing security measures, including the incorporation of more proactive measures such as predictive analytics, penetration testing, intrusion prevention and vulnerability scanning. In addition to helping organizations detect threats faster, these measures often enable IT teams to predict attacks based on risk modeling.
Threat analysis is another key component of proactive security. It can identify an attack’s unique tactics, techniques and procedures (TTPs), and IT teams can use that information to actively hunt for threats and disrupt them in advance.
Frameworks Can Help
The process of developing a comprehensive security strategy can seem overwhelming. Every company has unique security and operational requirements, and there are countless numbers of potential threats, solutions and contingencies that could be addressed. It’s common for those tasked with developing such a document to experience paralysis by analysis trying to cover everything.
A number of established IT security frameworks can ease the process, serving as an instruction manual for designing, implementing and maintaining a security strategy. In fact, a Dimension Research survey finds that more than 80 percent of organizations in the U.S. use one or more security frameworks, citing benefits such as measurable security improvements, increased automation of security controls and improved compliance. Some of the more widely used frameworks include:
- The Payment Card Industry Data Security Standard. The PCI DSS standard outlines widely accepted policies and procedures for protecting credit card information. The same principles can be used to protect sensitive data in any organization.
- National Institute of Standards and Technology Cybersecurity Framework. The NIST framework outlines security best practices for federal agencies and private-sector organizations vital to national and economic security. It is commonly used by small and large businesses across all industries.
- The Center for Internet Security Critical Security Controls. The CIS controls were developed for U.S. defense organizations. Numerous private-sector organizations use this framework to create a layered security environment.
- The International Organization for Standardization 27001 standard. ISO 27001 is an international framework for creating an overarching management system for all security controls. It provides guidance on the implementation of individual security measures to ensure they are properly integrated with other critical controls.
- Control Objectives for Information and Related Technologies. The COBIT framework establishes guidelines for information management and governance to ensure the quality and reliability of information systems. Organizations often use it to evaluate their compliance with Sarbanes-Oxley compliance.
Although these and other frameworks were created for different audiences, they can be adapted to help any organization develop a comprehensive security strategy. It’s important to remember that it doesn’t have to be perfect on the first try — organizations can and should continually modify their strategy to ensure it aligns with evolving business goals, technology environments and cyber threats. A continually updated strategy provides essential protection from attacks, come rain or shine.
