How To Build a Cybersecurity Program
Learn how to build a cybersecurity program from the cybersecurity strategy down to tactical technical security.
Building a cybersecurity program is an interesting challenge within the scope of today’s Information Technology landscape. As the President & CEO of The Penn Group, building an information security program that is cost effective, robust, and agile is one of the core subjects my company consults on. Cybersecurity, the function of the security team, is an exceedingly complicated operation. Within the context of the business, the function of cybersecurity is an oversight activity, most of the time. Without executive buy-in, the cybersecurity program is dead in the water. Despite this complexity, the nobility of the security program is palpable. With an effective cybersecurity program, you’re on the front line protecting your customers and even their lives. In this article, I will take you through building a cybersecurity program.
What Is a Cybersecurity Program?
Cybersecurity programs must be enormously agile, yet there must be robust governance to guide the organization. Building a cybersecurity program takes time, dedication, the right team, and leadership buy-in to be successful. A successful cybersecurity program reduces risk to your organization, saves the company money by reducing the threat of an incident, and improves the resiliency of the organization. The cybersecurity program’s role is to assure the confidentiality, integrity, and availably of information technology. This is called the security triad, and for years has been the gold standard of the functional description of cybersecurity. In recent years, however, the CIA triad has been augmented with additional functions such as privacy and non-repudiation. Ultimately, these additional functions still roll up to the CIA triad in some way.
The Functional Responsibility of a Security Program
The CIA triad works well to describe, at a high level, what the security function is responsible for, but translating the CIA to a security program isn’t an apples-to-apples comparison. In reality, a security program must achieve visibility of their systems, governance of technical infrastructure, and administrivia of controls.
Let’s start by breaking down this graphic. First, the CIA Triad combined with the rules, regulations, standards, and frameworks define the security strategy of the organization.
Cybersecurity Strategy
At the strategic level, the first component of the cybersecurity strategy is the risk appetite of the organization. The risk appetite is like a mission statement for security. Basically, it is a statement that helps guide the organization on the level of risk it is willing to accept. For example: In the context of a bank, the risk appetite statement would state that, due to the enormous financial risk to the customers of the bank as a result of the loss of customer data, the level of risk the organization is willing to accept is low. In contrast, a non-profit organization with a low number of information technology assets and data might be willing to accept more risk.
There is an inverse relationship to risk tolerance and cost. The lower your risk tolerance, the higher the costs of your security program. This is a double-edged sword however, because cybercriminals do not care about your risk statement. They will hack you regardless. If you’re not investing enough in cybersecurity due to a predisposition of safety, the costs to recover may be more than the initial investment in security.
Cybercriminals do not care about your risk statement. They will hack you regardless.
Leadership Buy-In
The bottom line is simple: If your leadership isn’t bought into your security program, just imagine what they will do if you have a breach. They will hand you a box and wish you well.
The blame after an incident will always fall on the leader.
Getting buy-in from your executive team can be a difficult task, especially if your organization has been historically resistant to change. In our experience with The Penn Group, getting executive buy in isn’t about driving fear, but it is about building trust. Often, security is sold with eye popping stats about millions of dollars in losses. The problem with this approach is, over time, executives will become galvanized to the statistics and interpret the data as fear mongering. This isn’t to say that you should ignore the facts. Security stats can be helpful in telling the story for a security program. They shouldn’t be the story.
Regulations, Standards and Compliance
Regulations, standards, and compliance requirements vary by industry, but there are some very specific security requirements that legally have to be met. When working to gather executive buy in, gather a list of security requirements that you have to meet. With a varying degree of fines and consequences for non-compliance, this may be an effective way to get traction for your security program. It is important to note that the pursuit of compliance as a strategy is a misguided approach. The pursuit of compliance will almost always result in the organization prioritizing what is known as “checkbox security”. Checkbox security is when security activities are done simply to say/document that it has been done, rather than for a specific security need.
Ongoing Reporting
Once you have leadership buy-in, it is critical to continuously tell the story of security. Often, reporting statistics on intrusion attempts, blocked Ips, incident reports, and industry trends is just as important as the initial buy-in. Otherwise, the pressure to invest dollars elsewhere within your organization may strip the security team of critical resources. Often, quarterly reports tend to be effective in communicating on the topic of security. More frequent reports during upticks in criminal activity may be required.
Functional Security
Strategic security revolves around the management of risk, compliance, and audits. Cybercriminals do not care about your audit department or your security budget. With every cybersecurity program, there is a subset of activity that is entirely technical and a majority of activity that is administrivia. The challenge with any information security program is the need to perform technical security on a large scale. It is reasonably simple to lock down a single workstation or webserver from attack. The process can take between 30 minutes and several hours, and at the end you have a hardened box. When your IT Asset inventory is numbered in the thousands, it becomes extremely difficult or impossible to manage the scale. With security talent already limited, the alternative is to turn automation and simplification.
In its most simple form, technical security should achieve the following things:
1) Maximum visibility of systems with ability to respond to incidents.
2) Information system architecture and assets are hardened and validated.
3) A flexible technology stack that is performance optimized.
Security Governance
Maximizing your visibility into your systems, hardening your architecture and assets, and technological flexibility are the foundations of technical security. The challenge with achieving these seemingly simple goals is the management and validation of those goals. It isn’t enough to do information security. You have to prove that you’re doing to a sufficient level (compliance) or even to an enhanced level (rules/frameworks). Governance, Risk, and Compliance, which is often abbreviated as GRC, is the functional management of your cybersecurity program.
Building a Governance, Risk, and Compliance Program
Building a GRC program starts out with the definition of policies at the leadership level of the organization. A policy commits the organization to do something. A process explains how the organization expects to accomplish the rules. A procedure explains on a basic level exactly how to perform the process.
Security Frameworks
Security frameworks are a great foundation to build your information security governance program. In the United States of America, most large enterprise organizations utilize the NIST Cybersecurity Framework.
Here are some additional frameworks that are useful by industry:
– NIST CSF
– GDPR
– CCPA
For Financial Services Industry
– GLBA
– NYCS
For Healthcare industry
– HIPAA
For Energy Sector
– ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION
Summary
While frameworks are important and can be helpful in developing an information security program, activities must be in line with your risk appetite and cybersecurity strategy for your organization. You must get leadership buy in and carefully draft policy and procedures that commit your organization to do the right things.
Austin Harman is the President & CEO of The Penn Group. He currently holds the coveted CISSP certification, in conjunction with the CCSP, CAP, and Security+ certifications from ISC2 and CompTIA respectively. He resides in Columbus, Ohio.
