Historically the company CISO (if there was one) would define the security requirements based on the business needs and be responsible for the acceptance of the defined security strategy. The strategy would be converted into a set of policies that would then be approved by the business owners, auditors, and security SME’s. The strategic policy would need to be enforced by the creation of security standards which should drive the determination of controls to be put into place. Those controls would need to achieve the level of risk mitigation that everyone had agreed was acceptable. The last step in the process should be to determine how the security vendors can help to implement the controls required to meet the needs of the holistic strategy.
The steps to a secure Organization:
- Define a Strategy
- Establish Policies
- Implement System
- Create Awareness
- Monitor Results
- Enforce Compliance
Security vendors have followed the market transitions of moving certain aspects of their services to the cloud, bundling software into Enterprise Agreements, and trying to figure out how to make each piece of the solution a subscription-based service. With these transitions, a new word for an old methodology is being used - adoption. Adoption is really the new term for lifecycle planning.Several frameworks exist for building security management systems based on risk management techniques like NIST CSF (Cyber Security Framework), Center for Internet Security (CIS) Controls, Australian Signals Directorate (ASD), COBIT 5 and the ISO 27000 series. All these frameworks can help your organization structure your strategy to ensure the key principals of risk management are satisfied. Next, review the policies, standards, and metrics on a regular basis to avoid new risks and to improve upon prior standards. In other words, take a lifecycle approach to security from the policy to the standards and then to the controls. What adoption means to the vendor; however, is how can they improve the consumption of the controls to further mitigate risks in your organization to prove the value of the subscription.
Security control vendors now have a multitude of services and bundled offerings that can be leveraged to save money while creating a holistic control strategy with that vendor. Organizations very rarely say no to free software, even if they do not know what to do with it or how it will meet their standards and fulfill their own security policy. At renewal time enterprises begin to evaluate why they bought the additional software that they never deployed. Many times, they do not re-purchase the enterprise agreement or subscription out of a feeling they were sold something that they did not need. However, with the proper assistance and review, those organizations could have improved their controls. This would increase the reduction of additional risks to the organization that they may not have accounted for in their policies and standards.
We live in a world where strategy must be aligned with the needs of the business. Often cybersecurity professionals correctly outline the risk, to only have to re-assert the same risk the following year, and the year after that.Translating your cybersecurity strategy into policies, standards, and controls is the lifecycle adoption process. In our experience, many organizations would benefit from ensuring the alignment of their security strategy with the business needs of the organization. They need to determine who the key stakeholders in the business are, from the CEO, COO, and CFO. Interview them and determine the critical use cases. Conduct a baseline assessment to understand the gaps that exist between the security strategy and the current state of operation. If no policy or written standards exist, then now is the time to invoke the “prudent person” rule. “Would a prudent person in my industry have a strategy comprised of policies and standards to secure the organizational assets?” Following this rule will address two main considerations, the liability of the corporate leadership and helping to reduce the cost of cybersecurity insurance. They then need to tie software and hardware controls to the tactical standards that will enforce the strategic policies. Pulling all of this together with operational playbooks based on the top threats expected to occur. These playbooks should be a series of steps that integrate how to leverage the tools you have purchased to identify, protect, detect, respond, and recover. Finally, on a regular basis, the organization needs to report on the policy goals with metrics that are specific, measurable, achievable, reasonable, and time-bound.
Presidio is a national leader in cybersecurity consulting and our professional services organization is second to none with regards to design and deployment of controls. Our managed services team can assist with outsourcing the day to day operations of hardware. We are now combining all aspects of our security expertise via the Presidio EXCITE for Security program. EXCITE is a framework specific to the adoption of the software and hardware controls that an organization has invested in. The EXCITE program leverages our cybersecurity team for use-case development, assessments for gap analysis and operational playbook development. We couple our professional services teams with the cybersecurity team to translate the controls into a high-level implementation plan and mapping the controls to the playbooks. If your organization does not have the policies or standards that would fulfill the “prudent person” rule, we can leverage the cybersecurity team’s NGRM Adaptive Security service to help structure a proper cybersecurity solution. Presidio has the expertise to help your organization create a holistic security strategy that is comprised of policies, standards, and controls. We can devise the implementation plan for the controls. Finally, we can help you with planning for Lifecycle Adoption of your software and hardware to validate the business value. This methodology will ensure your risk management approach is meeting and exceeding the goals of your organization’s security policy.