Main Menu
MENUMENU
  • Home
  • TPG Electronics
  • Solutions
    • Information Technology Solutions
    • Cybersecurity
      • Awareness & Training
      • Cloud Security & Compliance
      • Information Security Consulting
      • Managed Security Operations Services
      • Penetration Testing Services
      • Governance, Risk, and Compliance
      • Risk Management
        • Understand Your Risk
        • Risk Remediation
        • Monitor Your Risk
        • Security Technology Implementation
      • Secure Software Development Life Cycle (SSDLC) Solutions
      • SMB Security
  • Services
    • Audio Design & Installation
    • Lighting Design & Implementation
    • Video Design & Implementation
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
The Penn Group, LLC Columbus Ohio Logo
MENUMENU
  • Home
  • TPG Electronics
  • Solutions
    • Information Technology Solutions
    • Cybersecurity
      • Awareness & Training
      • Cloud Security & Compliance
      • Information Security Consulting
      • Managed Security Operations Services
      • Penetration Testing Services
      • Governance, Risk, and Compliance
      • Risk Management
        • Understand Your Risk
        • Risk Remediation
        • Monitor Your Risk
        • Security Technology Implementation
      • Secure Software Development Life Cycle (SSDLC) Solutions
      • SMB Security
  • Services
    • Audio Design & Installation
    • Lighting Design & Implementation
    • Video Design & Implementation
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
  • Phone (614) 741-5306
  • Email sales@thepenn.group
  • Address 6986 Norton Crossing St. New Albany, Ohio 43054

How To Build a Cybersecurity Program

Home  ›  Cybersecurity  ›  How To Build a Cybersecurity Program

How To Build a Cybersecurity Program

Learn how to build a cybersecurity program from the cybersecurity strategy down to tactical technical security.

build an information security program
Build a cybersecurity program.

Building a cybersecurity program is an interesting challenge within the scope of today’s Information Technology landscape. As the President & CEO of The Penn Group, building an information security program that is cost effective, robust, and agile is one of the core subjects my company consults on. Cybersecurity, the function of the security team, is an exceedingly complicated operation. Within the context of the business, the function of cybersecurity is an oversight activity, most of the time. Without executive buy-in, the cybersecurity program is dead in the water. Despite this complexity, the nobility of the security program is palpable. With an effective cybersecurity program, you’re on the front line protecting your customers and even their lives. In this article, I will take you through building a cybersecurity program.

What Is a Cybersecurity Program?

CIA Triad
The CIA Triad

Cybersecurity programs must be enormously agile, yet there must be robust governance to guide the organization. Building a cybersecurity program takes time, dedication, the right team, and leadership buy-in to be successful. A successful cybersecurity program reduces risk to your organization, saves the company money by reducing the threat of an incident, and improves the resiliency of the organization. The cybersecurity program’s role is to assure the confidentiality, integrity, and availably of information technology. This is called the security triad, and for years has been the gold standard of the functional description of cybersecurity. In recent years, however, the CIA triad has been augmented with additional functions such as privacy and non-repudiation. Ultimately, these additional functions still roll up to the CIA triad in some way.

The Functional Responsibility of a Security Program

The CIA triad works well to describe, at a high level, what the security function is responsible for, but translating the CIA to a security program isn’t an apples-to-apples comparison. In reality, a security program must achieve visibility of their systems, governance of technical infrastructure, and administrivia of controls.

Information security strategy graphic
The foundation of a cybersecurity program

Let’s start by breaking down this graphic. First, the CIA Triad combined with the rules, regulations, standards, and frameworks define the security strategy of the organization.

Cybersecurity Strategy

At the strategic level, the first component of the cybersecurity strategy is the risk appetite of the organization. The risk appetite is like a mission statement for security. Basically, it is a statement that helps guide the organization on the level of risk it is willing to accept. For example: In the context of a bank, the risk appetite statement would state that, due to the enormous financial risk to the customers of the bank as a result of the loss of customer data, the level of risk the organization is willing to accept is low. In contrast, a non-profit organization with a low number of information technology assets and data might be willing to accept more risk.

The inverse relationship to cost/risk
The inverse relationship to cost/risk.

There is an inverse relationship to risk tolerance and cost. The lower your risk tolerance, the higher the costs of your security program. This is a double-edged sword however, because cybercriminals do not care about your risk statement. They will hack you regardless. If you’re not investing enough in cybersecurity due to a predisposition of safety, the costs to recover may be more than the initial investment in security.

Cybercriminals do not care about your risk statement. They will hack you regardless.

Leadership Buy-In

The bottom line is simple: If your leadership isn’t bought into your security program, just imagine what they will do if you have a breach. They will hand you a box and wish you well.

The blame after an incident will always fall on the leader.

Getting buy-in from your executive team can be a difficult task, especially if your organization has been historically resistant to change. In our experience with The Penn Group, getting executive buy in isn’t about driving fear, but it is about building trust. Often, security is sold with eye popping stats about millions of dollars in losses. The problem with this approach is, over time, executives will become galvanized to the statistics and interpret the data as fear mongering. This isn’t to say that you should ignore the facts. Security stats can be helpful in telling the story for a security program. They shouldn’t be the story.

Download “The 3 Biggest Information Security Mistakes Organizations Make White Paper”

3-Biggest-Security-Mistakes-Organizations-Make-White-Paper.pdf – Downloaded 186 times – 269.25 KB

Regulations, Standards and Compliance

Regulations, standards, and compliance requirements vary by industry, but there are some very specific security requirements that legally have to be met. When working to gather executive buy in, gather a list of security requirements that you have to meet. With a varying degree of fines and consequences for non-compliance, this may be an effective way to get traction for your security program. It is important to note that the pursuit of compliance as a strategy is a misguided approach. The pursuit of compliance will almost always result in the organization prioritizing what is known as “checkbox security”. Checkbox security is when security activities are done simply to say/document that it has been done, rather than for a specific security need.

Ongoing Reporting

Once you have leadership buy-in, it is critical to continuously tell the story of security. Often, reporting statistics on intrusion attempts, blocked Ips, incident reports, and industry trends is just as important as the initial buy-in. Otherwise, the pressure to invest dollars elsewhere within your organization may strip the security team of critical resources. Often, quarterly reports tend to be effective in communicating on the topic of security. More frequent reports during upticks in criminal activity may be required.

Functional Security

Strategic security revolves around the management of risk, compliance, and audits. Cybercriminals do not care about your audit department or your security budget. With every cybersecurity program, there is a subset of activity that is entirely technical and a majority of activity that is administrivia. The challenge with any information security program is the need to perform technical security on a large scale. It is reasonably simple to lock down a single workstation or webserver from attack. The process can take between 30 minutes and several hours, and at the end you have a hardened box. When your IT Asset inventory is numbered in the thousands, it becomes extremely difficult or impossible to manage the scale. With security talent already limited, the alternative is to turn automation and simplification.

In its most simple form, technical security should achieve the following things:

1) Maximum visibility of systems with ability to respond to incidents.

2) Information system architecture and assets are hardened and validated.

3) A flexible technology stack that is performance optimized.

Managed Security Operations

Security Governance

Maximizing your visibility into your systems, hardening your architecture and assets, and technological flexibility are the foundations of technical security. The challenge with achieving these seemingly simple goals is the management and validation of those goals. It isn’t enough to do information security. You have to prove that you’re doing to a sufficient level (compliance) or even to an enhanced level (rules/frameworks). Governance, Risk, and Compliance, which is often abbreviated as GRC, is the functional management of your cybersecurity program.

Building a Governance, Risk, and Compliance Program

Building a GRC program starts out with the definition of policies at the leadership level of the organization. A policy commits the organization to do something. A process explains how the organization expects to accomplish the rules. A procedure explains on a basic level exactly how to perform the process.

How To Draft an Information Security Policy

Security Frameworks

Security frameworks are a great foundation to build your information security governance program. In the United States of America, most large enterprise organizations utilize the NIST Cybersecurity Framework.

Here are some additional frameworks that are useful by industry:

– NIST CSF

– NIST 800–53

– NIST 800–37

– GDPR

– CCPA

– ISO 27000

For Financial Services Industry

– FFIEC Examination Handbook

– GLBA

– NYCS

For Healthcare industry

– HIPAA

For Energy Sector

– ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION

Program Assessment Services for Governance, Risk, and Compliance

Summary

While frameworks are important and can be helpful in developing an information security program, activities must be in line with your risk appetite and cybersecurity strategy for your organization. You must get leadership buy in and carefully draft policy and procedures that commit your organization to do the right things.

Austin Harman is the President & CEO of The Penn Group. He currently holds the coveted CISSP certification, in conjunction with the CCSP, CAP, and Security+ certifications from ISC2 and CompTIA respectively. He resides in Columbus, Ohio.

facebookShare on Facebook
TwitterTweet

Post navigation

« Pursuing Compliance: Here Is Why You’re a Walking Data Breach

Leave a reply

Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Applications

  • Technology Integration
  • Audio Design & Implementation
  • Lighting Design & Implementation
  • Video Design & Implementation
  • Network Design & Engineering
  • Cybersecurity

 

  • Industry Experience
  • House of Worship
  • Enterprise
  • Small Business
  • Non-Profit

Our Commitment To You

You are not a number, but a partner

One of The Penn Group’s core values is Excellence. Our customers deserve our best, and nothing short. We are on a mission to create integrated experiences that just work. We are obsessed with delighting and inspiring through excellence. We bring out best. We develop the best people, and we deliver the best results, anything less is unacceptable.

Austin Harman, President & CEO

We’d Love To Connect With You

Search

Get in Touch

Find Us

Address
6986 Norton Crossing St.
New Albany, Ohio 43230

Hours
Monday—Friday: 9:00AM–5:00PM

The Penn Group, LLC Logo Footer

Unite Your Technology and Beat The Competition

  • Audio Design & Installation
  • Video Design & Implementation
  • Lighting Design & Implementation
  • Information Technology Solutions
  • Free Consultation
  • Contact The Penn Group

© 2022 The Penn Group, LLC.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. The Penn Group does not and will not sale your data. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT