Getting Cybersecurity in Place On a Tight Budget

Cybersecurity On A BudgetBy Christopher Barron
Associate

As the CIO you’ve been tasked with ensuring that your organization’s IT systems are more secure. You’ve got a budget (although it’s tight). You’ve got mandates (“Don’t let us get hacked!” “Increase our perimeter strength!” “Make it a ‘Top 3’ initiative for the year!”). But if you’re like many CIOs, what you don’t have is an understanding of the basic premises and precepts of cybersecurity.

To get appropriate cybersecurity controls in place, where in the world should you start?

You don’t have to reinvent the wheel

If you feel like you’re floundering, I’ve got good news for you. There is a well-established framework that covers nearly all of the common information security risks. The Center for Internet Security (CIS), a non-profit organization that has been around for over two decades, has created a list of 20 Critical Security Controls. These Controls represent a consensus from a group of cybersecurity experts located throughout both government and private industry. This list is the roadmap that you need.

Start with the first five Critical Security Controls

Here’s even better news: If you implement the first five Critical Security Controls you’ll mitigate an estimated 87% of your risk (based on quantitative measures). These first five knock off the “low hanging fruit” by addressing the most common information security issues. As it turns out, many of the activities taken against your network are automated and easy to stop.

To get cybersecurity in place, start with these five Critical Security Controls:

1. Inventory of Authorized and Unauthorized Devices

You need to ensure that all devices connected to your network are understood and documented, whether they are authorized or unauthorized. This knowledge will help you take steps to harden your network perimeter.

2. Inventory of Authorized and Unauthorized Software

This is just like Control #1, but for software. You need to have a complete inventory of all of the software that’s running on your network, whether it is authorized or unauthorized.

Keep in mind that unauthorized software represents a significant threat. Unauthorized software includes both software that has been intentionally installed by users without following your organization’s policies, and software that has been unintentionally installed, such as through phishing schemes.

3. Secure Configurations for Hardware and Software

Every piece of equipment you buy should be validated against a set of pre-determined standards before it is purchased. To make this happen you must develop these standards for your organization—and then apply these standards to all the hardware and software run within your environment, including mobile devices and servers.

4. Continuous Vulnerability Assessment and Remediation

You need to continuously monitor your system and run vulnerability assessments to watch for anything new that has been installed, whether it is software or hardware, and then address whatever issues are discovered.

If your permissions and Identity and Access Management system doesn’t catch it first, your basic networking monitoring tools will usually catch most things that have been installed. Whatever these tools don’t catch should be caught by your vulnerability assessments. I recommend that you use security scanning tools to continuously run vulnerability assessments, and then augment this with periodically-scheduled “audit” type assessments.

Why is this so important? Because you can put all the advanced security systems in place that you want, but if someone comes in and installs an unauthorized wireless router on your system, you immediately have an uncontrolled vulnerability. By having an understanding of all of the hardware connected to your network, including an ability to find vulnerabilities in real time, and then quickly remediating vulnerabilities when they are discovered, you can pretty much stop most active hacking attacks.

5. Controlled Use of Administrative Privileges

Administrators who have the highest level of access to resources must be monitored, and every action they take must be logged. After all, when someone has the highest level of access they can do just about anything they want within your network. Someone must watch them to verify that their actions are always in the organization’s best interests.

What about the other 15 Critical Security Controls?

These first five Critical Security Controls represent 20 years of consensus on where the most basic-level information security competencies start. After you have implemented these you can focus on the other 15. These controls address the remaining 13% of your vulnerabilities, which are typically the more complex issues.

Conclusion

There is a lot of talk about the importance of information security. Coupled with that talk are the significant budget allocations being carved out specifically for cybersecurity projects. By focusing on these first five Critical Security Controls you will get the most bang for your buck. These are the places to start because these controls address the vast majority of your architectural vulnerabilities. Once you have these things in place you can move on to implementing other security measures.

Remember, hackers are like water…they tend to flow through the easiest possible path. When a hacker encounters an organization that has implemented the best practices of the first five controls, they will typically pass by and find a target that has not.

Need help getting cybersecurity in place? Give us a call. Security Strategy is one of our areas of expertise.

 

About Christopher Barron

As a strategic and innovative leader, Christopher is known for the ability to help clients realize how to leverage technology to outperform competitors. He has led clients through some of their toughest challenges, including departmental and project rescues, embracing and integrating new digital solutions, and developing hybrid organizations that can fully utilize the best and most cost-effective IT solutions.

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

Contact CIO Professional Services

CIO Professional Services is a member of:

IAOP logo


Churchill Club Logo


2016 SVTC Proud Sponsor Logo


The CFO Alliance


Council of Supply Chain Management Professionals logo

CIO Professional Services LLC is a top-rated IT consulting firm, based in the San Francisco Bay Area, specializing in strategic IT consulting and business / IT alignment. Companies come to us seeking assistance with their information technology strategy as well as to source interim CIO / CTO employees or fractional CIO / CTO's. Our IT experts can assist with integrating IT into your business processes - better - up to and including 'project rescue' in areas such as ITSM / ITIL, IT service strategy, and IT outsourcing. Business / IT strategy projects we have worked on include upgrading ERP systems, cybersecurity and IT consulting, IT assessment and organizational change. Cloud computing and business IT remain critical in today's business systems, and beyond that to the migration to the cloud of business IT. Our IT consultants can assist with all aspects of business / information technology alignment. Contact us today for a free phone consultation - we service clients not only in San Francisco or San Jose, but throughout the United States.

Copyright 2017. CIO Professional Services, LLC. All Rights Reserved.