By Christopher Barron
Associate
As the CIO you’ve been tasked with ensuring that your organization’s IT systems are more secure. You’ve got a budget (although it’s tight). You’ve got mandates (“Don’t let us get hacked!” “Increase our perimeter strength!” “Make it a ‘Top 3’ initiative for the year!”). But if you’re like many CIOs, what you don’t have is an understanding of the basic premises and precepts of cybersecurity.
To get appropriate cybersecurity controls in place, where in the world should you start?
You don’t have to reinvent the wheel
If you feel like you’re floundering, I’ve got good news for you. There is a well-established framework that covers nearly all of the common information security risks. The Center for Internet Security (CIS), a non-profit organization that has been around for over two decades, has created a list of 20 Critical Security Controls. These Controls represent a consensus from a group of cybersecurity experts located throughout both government and private industry. This list is the roadmap that you need.
Start with the first five Critical Security Controls
Here’s even better news: If you implement the first five Critical Security Controls you’ll mitigate an estimated 87% of your risk (based on quantitative measures). These first five knock off the “low hanging fruit” by addressing the most common information security issues. As it turns out, many of the activities taken against your network are automated and easy to stop.
To get cybersecurity in place, start with these five Critical Security Controls:
1. Inventory of Authorized and Unauthorized Devices
You need to ensure that all devices connected to your network are understood and documented, whether they are authorized or unauthorized. This knowledge will help you take steps to harden your network perimeter.
2. Inventory of Authorized and Unauthorized Software
This is just like Control #1, but for software. You need to have a complete inventory of all of the software that’s running on your network, whether it is authorized or unauthorized.
Keep in mind that unauthorized software represents a significant threat. Unauthorized software includes both software that has been intentionally installed by users without following your organization’s policies, and software that has been unintentionally installed, such as through phishing schemes.
3. Secure Configurations for Hardware and Software
Every piece of equipment you buy should be validated against a set of pre-determined standards before it is purchased. To make this happen you must develop these standards for your organization—and then apply these standards to all the hardware and software run within your environment, including mobile devices and servers.
4. Continuous Vulnerability Assessment and Remediation
You need to continuously monitor your system and run vulnerability assessments to watch for anything new that has been installed, whether it is software or hardware, and then address whatever issues are discovered.
If your permissions and Identity and Access Management system doesn’t catch it first, your basic networking monitoring tools will usually catch most things that have been installed. Whatever these tools don’t catch should be caught by your vulnerability assessments. I recommend that you use security scanning tools to continuously run vulnerability assessments, and then augment this with periodically-scheduled “audit” type assessments.
Why is this so important? Because you can put all the advanced security systems in place that you want, but if someone comes in and installs an unauthorized wireless router on your system, you immediately have an uncontrolled vulnerability. By having an understanding of all of the hardware connected to your network, including an ability to find vulnerabilities in real time, and then quickly remediating vulnerabilities when they are discovered, you can pretty much stop most active hacking attacks.
5. Controlled Use of Administrative Privileges
Administrators who have the highest level of access to resources must be monitored, and every action they take must be logged. After all, when someone has the highest level of access they can do just about anything they want within your network. Someone must watch them to verify that their actions are always in the organization’s best interests.
What about the other 15 Critical Security Controls?
These first five Critical Security Controls represent 20 years of consensus on where the most basic-level information security competencies start. After you have implemented these you can focus on the other 15. These controls address the remaining 13% of your vulnerabilities, which are typically the more complex issues.
Conclusion
There is a lot of talk about the importance of information security. Coupled with that talk are the significant budget allocations being carved out specifically for cybersecurity projects. By focusing on these first five Critical Security Controls you will get the most bang for your buck. These are the places to start because these controls address the vast majority of your architectural vulnerabilities. Once you have these things in place you can move on to implementing other security measures.
Remember, hackers are like water…they tend to flow through the easiest possible path. When a hacker encounters an organization that has implemented the best practices of the first five controls, they will typically pass by and find a target that has not.
Need help getting cybersecurity in place? Give us a call. Security Strategy is one of our areas of expertise.
About Christopher Barron
As a strategic and innovative leader, Christopher is known for the ability to help clients realize how to leverage technology to outperform competitors. He has led clients through some of their toughest challenges, including departmental and project rescues, embracing and integrating new digital solutions, and developing hybrid organizations that can fully utilize the best and most cost-effective IT solutions.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.
