- Published: Tuesday, December 03, 2019 07:00
By Zeeshan Kazmi
Cyber Security Practice Head
I recently wrote about the reasons why your cyber security plan must address SecOps , which is a collaborative effort that ensures that your IT security and IT Operations teams are all on the same page. Today I’d like to take a look at how to make this happen. Here are the initial steps we recommend:
Assess your risks
It is absolutely critical to understand what your assets are and where they reside. You can then prioritize these assets based on the likely negative impact on your business if these assets were to be compromised.
Start by taking a complete inventory of your data assets, wherever they may reside. For example, what data resides in shadow IT? How about email archives, mobile devices, apps, etc.? It doesn’t hurt to reach out to key business stakeholders to ask them where they think their data is! Remember, if you don’t know where a data asset is located (or even if it exists), that lack of knowledge is a security risk in and of itself.
Next, add hardware to your asset list. After all, cyberattacks sometimes target the hardware itself, and wreak havoc that way.
Once you have a identified your assets, assess the importance of each to the company and the likelihood of someone wanting to target that asset for gain. Prioritize those that are the highest value AND the most likely targets. Make sure your stakeholders and sponsors agree with your assessment of the priorities, and then start putting a cyber security plan in place to protect these assets with strategy, implementation and ongoing operational monitoring.
Pick a cyber security framework
There are a number of different cyber security frameworks available. These frameworks provide a set of checklists to help you create your cyber security plan and help ensure that you cover all your bases. Two of the more popular are the CIS (Center for Internet Security) cyber security framework and the NIST (National Institute of Standards and Technology) cyber security framework.
Review these frameworks within the context of how your business, culture, IT systems and IT strategy work. Select the one that is the best match, and then modify (or simplify) it as necessary for your needs.
Keep end user needs in mind
Understand what business processes will be impacted by your cyber security measures, and exactly how they will be impacted by these changes.
Some cyber security measures, such as in the Identity and Access Management (IAM) arena , can actually boost employee productivity and make business processes more efficient. Other times this is not the case. Your goal should be to meet your cyber security needs with the least possible negative impact. If there are choices to be made, evaluate them from the standpoint of how they will affect the people who must implement these processes.
Remember that for many people change is always difficult. Be sensitive to this and manage people through the change. Whether your new cyber security measures will make processes more or less efficient, you should provide training on the new procedures and assistance with change management.
When it comes to end user needs, you should also ensure that your cyber security policies don’t become your “business prevention” policies. For example, do not just say “no” to any tools that are not already sanctioned by the IT department, or shut down any rogue “shadow IT” installations when you discover them. Business users need to be able to get the tools they need, and your plan needs to provide guidelines for how these tools can be safely used. Consider standing up a steering group of end users who can help guide this process.
In the world of cyber security it’s important that you don’t “drive with your eye on the rearview mirror.” While the cyber security measures you put in place will generally be based on the experience you’ve had and/or the security breaches that others have experienced, cyber security threats are always evolving. Tomorrow’s ransomware attacks, for example, will exploit different vulnerabilities than today’s. Your approach needs to be flexible.
Many organizations make the mistake of rigidly basing all their cyber security efforts on audits and frameworks, only to get tripped up when an attacker comes up with a new methodology that’s not addressed by these audits and frameworks. Security and IT organizations must feel that they can push back on an audit if the results of the audit will be used in a way that excludes this agility. Be ready to show that an audit for yesterday’s threats may not serve your organization today.
Address SecOps and plan for change
SecOps and the on-going operational piece can be critical for your cyber security system’s success. When something in your system or environment changes, you need to (a) be aware that the change occurred and (b) assess whether this change should trigger associated changes in any of your cyber security settings, tactics, etc.
Be prepared for a cyber security breach
Build resilience into your cyber security system. If all your measures fail to prevent a security breach, how will you respond? What should IT do? What should management do? What should legal, marketing and any other affected departments do?
Think through the various types of breaches that might occur—such as distributed denial of service (DDoS), ransomware, etc.—and have plans in place to deal with each.
An effective cyber security plan includes strategy, implementation AND on-going operational monitoring. And it addresses these things in a way that executives, stakeholders and the people who are managing to the plan all understand why and what they’re doing.
If you’re concerned that your internal talent might not be up to the task of pulling all of this together, give us a call. CIOPS offers interim CISO (Chief Information Security Officer) and vCISO (virtual CISO) services.
About Zeeshan Kazmi
As a seasoned global technology executive, Zeeshan is known as an analytical thinker who introduces cutting-edge solutions and game-changing cultural shifts that ignite revenue and productivity, and optimize performance. Clients benefit from his extensive experience directing the development and execution of advanced Cyber Security and IT strategies that facilitate sustainable growth, strategic risk management and increased profitability.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.