By HP Security Strategist Stan Wisseman
The constant stream of security incidents have convinced your executive leadership and Board to take action – they’ve asked you to build out an information security program and provided the funding to do so. Where to start? It’s possible to spend a lot of money on information security enhancements that are ineffective against today’s threats. What are the most important cyber-related risks to address? How can the information security program support the mission of the organization? How can the program get properly resourced?
Baselining against a Framework
A good place to start is by leveraging a cyber-security control framework. Use of a framework isn’t a silver bullet, but it gives you a vetted reference model of best practices to work with. There are several frameworks to consider, including: ISO/IEC 27001:2013, NIST Cyber Security Framework (CSF), and the SANS Critical Security Controls for Effective Cyber Defense. I’ve used ISO 27001/2 as a framework with some success. The difficulty with all ISO standards, in my opinion, is that the revision cycles are long and the standards may not adapt quick enough to the evolving threat landscape. Also, ISO standards can be bloated with excessive wording, long lists, and unnecessary prescriptive text. SANS helpfully prioritizes their list of 20 critical controls to help you focus on what they view as the most effective measures. Some prefer the SANS top 20 due to its practical nature. The NIST CSF leverages existing cybersecurity best practices (ISO 27001, COBIT, ISA 99, etc.) and is divided into five “core functions” with sub-categories.
The CSF was built with the flexibility to add new categories and subcategories as new requirements arise. You can also use more function-specific frameworks like Cigital’s Build Security In Maturity Model(BSIMM) for software security, or HP’s Security Operations Maturity Model (SOMM) for security operations.
Whichever framework(s) you select, it’s a good practice to assess your organization’s current security posture against the framework to establish a baseline capability and identify functional gaps. Don’t get discouraged by the results! We are all on a journey to enhance the maturity of our security control environments. As reflected in a recent post by Brian Krebs, understanding where your organization is on the maturity scale is valuable reference as you develop your program roadmap. You will want to focus on the most impactful enhancements to mitigate gaps and enhance program maturity. As was shown in HP’s 2015 Cyber Risk Report, these could be a combination of dealing with the basics (e.g., secure platform configurations) as well as more advanced capabilities (e.g, user behavioral analytics). I recommend development of a multi-year roadmap that aligns with overall organization goals and manages InfoSec risks within the risk appetite of the organization. Now you’ve got to resource the plan.
Developing a Cybersecurity Workforce
Resourcing, however, is the next challenge – developing a workforce with the abilities to execute the roadmap. It’s difficult to find individuals with a balance of technical skills and necessary soft skills to constructively engage with business partners. I recommend a competency-based talent approach rather than one solely based on experience or certifications (the NICCS National Cybersecurity Workforce Framework is a useful reference). You also need to be open minded when recruiting given the demand for cybersecurity skilled professionals has outstripped supply in the US with an estimated 209K jobs going unfilled. You may need to develop from within through professional development programs, or consider outsourcing some functions.
Once you’ve captured your workforce requirements, you can determine which roles are better filled by employees or which can be provided by external parties. In certain cases, outsourcing cyber security functions provide benefits which include lower costs, additional expertise, operational efficiencies and lower burden on management. For small to medium businesses, outsourcing makes it possible to have many of the same capabilities as larger organizations, but at a lower cost than building the capability in house.
It is critical that you have a flexible and well-rounded team, whether they are in-sourced, outsourced, or a hybrid. A great analogy is NASA’s Mission Control Center (MCC). The MCC has an integrated team of flight controllers certified in particular disciplines such as electrical power, thermal control, trajectory, payload, or medical. All of them have a general understanding of the mission parameters but each team member has a unique knowledge. If a mission incident does occur, combining their collective wisdom, a comprehensive and effective plan can be developed (think of the MCC of Apollo 13).
Likewise, you need a battle hardened team composed of SME’s in various domains (e.g., software security, network defense, cyber operations, digital forensics) and they should be well versed in their respective domains. Most importantly, you need to see how the whole program hangs together in order to create a “mission plan” as well as a team that effectively responds when there is a newly discovered vulnerability, breach or attack.
Learn more about HP Enterprise Security.
View the original content and more from this author here: http://ift.tt/1bb9fXp
from cyber security caucus http://ift.tt/1bevFXM
via IFTTT
No comments:
Post a Comment