Over the years I have had the opportunity to develop successful cybersecurity programs for many organizations. When creating a cybersecurity program, an organization must know where it is at and where it wants to go. Though not a requirement, cybersecurity frameworks or standardization documents written by experts in the field are helpful in designing a program and roadmap. Without this, the cybersecurity program will have no direction and will not achieve the organizations goals.
Get Executive Buy-In
You were just hired into an organization or promoted to work on their cybersecurity program. Congratulations! Now what? You need to gain executive buy-in for the program. This can be easy or extremely challenging. Chances are if you were hired as their first cybersecurity employee, the organization is taking this seriously. However, this does not mean it will be smooth sailing. You may need to teach cybersecurity best practices to those in the executive suite. This will ensure that the program is well understood and can be prioritized within the organization.
In addition to gaining executive buy-in for the program, you need to provide reoccurring status updates. This can be in the form of sending out email statements to having monthly meetings with executive stakeholders. This is needed to provide updates on where the organization is at with the cybersecurity program. It is also a perfect time to solicit feedback from the leadership team of how they see the program has progressed, any shortcomings, or express any concerns they may have. A continuous feedback loop is needed to ensure that the security program is meeting objectives set out by the business.
Pick a Cybersecurity Framework
There are plenty of cybersecurity frameworks to choose from, but which one is right for your organization? First, you must decide whether you need to aim for a certification for a given framework such as the ISO 27000 series. If certification is not a top priority, you can choose from some of the other well known cybersecurity frameworks such as the NIST Cybersecurity Framework or those developed by the Australian Cyber Security Centre.
For organizations who are just starting off and looking for a well rounded framework to choose I recommend using both the NIST Cybersecurity Framework along with the Centers for Internet Security Top 20 Security Controls. Why two you ask? The NIST Cybersecurity Framework is a great framework to standardize the organizations administrative controls. These would be considered your policies, standards, procedures, and guidelines. The Centers for Internet Security Top 20 Security Controls is a framework for your technical controls. These controls aim at how servers or networks are configured, having antivirus deployed, or a robust patching cadence. These two frameworks complement each other well and provide the foundation for how you want your security program.
Perform An Audit
The audit stage is critical as it will determine the outcome of your organizations current and future states for the cybersecurity program. Take plenty of time to review the selected framework as this will guide you through the audit process. Prior to performing the audit you must gather as much information as possible about the organization and its IT resources. Gathering documentation, architectural drawings, application flow drawings, policies, standards, and procedures, along with reviewing previous audits will help you gain insight into the environment.
Once the collection and review of documentation is complete, you then begin the interview process. The interview process is designed to gain additional insight into the environment that was not discovered during the document collection phase. When performing the interviews one must first consider their audience. Are they technical or non-technical? Will they understand what is being asked? Taking that into consideration will assist in getting to the answers you are looking for.
Determine Your Current State
When the audit is complete, it is time to perform a Gap analysis. The Gap analysis will help to determine the current state of your cybersecurity and information technology programs. Cybersecurity objectives from the framework that the organization met mean you can close that objective out. Any deficiencies found during the audit will become findings. The contrast between the objectives that you meet versus the ones you do not will be the outcome of the Gap analysis. This analysis will be the current state of your program. This current state report is what is to be presented to senior management or a steering team committee.
Develop A Future State Cybersecurity Roadmap
Now that the current state is defined, its time to define the strategic roadmap or future state of your cybersecurity program. The future state is where you would like to see your cybersecurity program 6 months – 5 years out. The Gap analysis performed when developing the current state will help define this for you. Objectives which are easy to implement can be put in place fairly quickly, ones that take a fair amount of planning and funding to implement will be placed on a strategic roadmap for future implementations.
Determining where to start can be daunting however there are two places to look for assistance. If you chose to use the Centers for Internet Security framework, this is already laid out for you. The Top 20 controls are in order of what should be implemented within the environment. The first 6 controls are what they call, “Basic.” As the name implies, these controls build the basic controls of the program which include:
Centers for Internet Security – Basic Controls
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
If you decided to choose a different framework do not worry, there are other ways to determine your starting point. This will include the help of the Board of Directors or executive management. By understanding the business requirements, needs, and wants will drive the direction of your cybersecurity program, however push back where it makes sense.