Bolstering resistance to devastating electronic attacks requires organizations to take a resilience-oriented approach to cybersecurity. Much as enhancing the sustainability of a business demands the consideration of a multitude of factors from production to supply chain to labor, improving an IT environment’s resilience requires an approach that goes beyond technology purchases. Though the “people, process, technology” mantra may sound like the 2000s calling, it remains relevant to guiding technology-related efforts in 2022.
One of the most significant positive developments in cybersecurity over the past two decades has been this topic’s shift from the IT department watercooler to the boardroom. Most business leaders would list cybersecurity as a concern: that’s a win. As a robust and rapidly growing market for security-related products and services vies for buyers’ attention, it can be difficult to know where to start.
This article offers guidance on a starting point, viewed through the lens of the people, process, and technology dimensions.
We start with this dimension because it impacts cybersecurity resilience in multiple ways. When it comes to securing infrastructure and managing operational risks, people are truly the most important ingredient.
Pressed to choose between a top-tier piece of technology, an ultra-robust process, or an experienced veteran of the cybersecurity trenches, I would always choose the latter. Unfortunately that can be easier said than done given the limited number of skilled and experienced personnel when compared to demand. Consider where augmenting your internal team with outside providers can fill capability gaps.
Though you may outsource certain functions, avoid the trap of abdicating responsibility for cybersecurity. Ensure that there is an internal team member accountable and empowered to focus on cybersecurity, even if it’s part of a larger role and not a dedicated security role. Stay engaged with outside service providers. One way to do this is to challenge your service providers to explain the “why” and “how” of what they are doing. For example, reference a recent attack described in the news and ask them to walk you through how such an attack would be caught and mitigated within your environment.
Outside of the technology organization, it is important to provide digestionable and actionable information to employees, contractors, and others that have a stake in the organization’s security posture. The most effective security awareness programs include a variety of content and periodically test employee’s behavior to reinforce awareness messages. While it may be inevitable that some users will fall victim to attacks, well-constructed security awareness programs reduce that risk by lowering that number.
Formalizing cybersecurity policies and procedures improves resilience. This is because policies serve an important governance function and set the tone for how the entire organization will view cybersecurity. Processes improve scalability, reduce errors, and smooth friction points between teams. Expect to be asked about policies and processes by auditors, regulators, business partners, customers, and insurance carriers.
At the foundational level, ensure that your organization has a cybersecurity policy. It should describe the organization’s overall approach to security, designate roles and responsibilities for governance and implementation, and outline the broad strokes policies for areas such as information classification, incident management, and account management.
Developing a policy need not be a lengthy project; smaller organizations often find it efficient to start with a template and then quickly customize the relevant portions to their environment. The Center for Internet Security provides a comprehensive set of policy templates aligned to NIST Cybersecurity Framework (CSF) standards.
Supporting the umbrella cybersecurity policy there are a plethora of standards and processes to consider. Organization-specific factors such as the nature of the business, IT operations’ complexity, and regulatory requirements should influence prioritization and timing for development. Consider developing and documenting the following areas first as they address foundational capabilities:
- Endpoint protection standards (including mobile device encryption and required security software)
- Audit logging standards (to ensure that all systems are generating useful audit logs to aid administrators and incident responders)
- Vulnerability detection and management processes (including scanning the external network perimeter for vulnerable or unexpected systems available to the Internet)
- Patch management processes
- Identity & access management standards (including ensuring that administrative accounts have strong, unique passwords that are not the same on multiple systems)
- Incident response processes
Finally, we’ve arrived at the dimension where many in the industry start the discussion. If you have ever attended a large security conference such as RSA, you might relate to the overwhelming feeling gazing out over the show floor can induce. Services companies by the dozens. Entire categories of products that are news to you. Is that another EDR vendor?
Consider implementing the below technologies first because they reduce the risk of the most common types of attacks, ease incident response, and mitigate damage should an attacker gain entry.
- Endpoint Detection & Response (EDR) with Next Generation Antivirus (NGAV) Functionality: All servers and end-user systems should have agents installed and blocking capabilities activated.
- Multi-factor Authentication (MFA): Protect Internet-facing systems including email and VPN.
- Privileged Access Management (PAM): Minimally, ensure that systems have unique administrative passwords.
- Resilient Backups: Isolate archived data from intentional corruption by an attacker who gains access to the network.
- System, Patch & Vulnerability Management Tooling: Ensure every system can be managed, scanned for vulnerabilities, and patched quickly.
- Understand your internet footprint: Ensure available services are protected.
It’s important to remember that resilience is measured on a continuum, and incremental steps can be impactful. Prioritize your efforts. Take a holistic approach that considers dimensions beyond technology. Most importantly, start the journey today.