The Board gathers in a room in a pensive mood. Everyone is fully aware that they must protect their infrastructure estate and critical data. However, the question of whether these are adequately protected, is causing our C-suite sleepless nights. Additional questions include:
- Is our operational environment secure?
- Have we got 'enough' security?
- Are we protecting the right assets?
- Which security solutions will best fill our current gaps?
- Would layered defence help us?
- Are we spending too much, too little, or just the right amount?
A strategy is the foundation of a cyber security programme; however, the implementation is key. The following recommendations should improve our leadership's sleep patterns:
- Assess the current operational environment.
Questioning whether an organisation is secure will rarely elicit a 'yes' or 'no' answer. This needs to be considered within an organisation's business context and risk appetite. This is especially true when trying to determine if an organisation has 'enough' security; it is a trade-off between safeguarding business assets and limiting the business impacts of security controls.
- Cyber defence is not a one-time solution.
New threats emerge, existing threats evolve, and attacker capability grows. Once security toolsets, capabilities and resources are in place, the business environment needs to be continuously monitored to ensure the current state is still effective and improvements are implemented as needed to mitigate any new threats.
- To protect the right assets, maintain a full inventory of the organisation's estate.
It is quite difficult to protect unknown assets. The effects felt from a loss of access to, unauthorised disclosure of, or corruption of business-critical assets should be ranked based on their value to the organisation, and should factor in legal, regulatory and contractual obligations. Obtaining clarity on the current state will be the first step in determining an organisation's security maturity. Operational processes will also have a critical role in enforcing security. It is not possible to protect everything, so categorising and prioritising assets based on value and criticality will help maintain focus.
- When new toolsets and resources are needed, these must take account of the current operational environment.
Selecting cyber security solutions is not a trivial exercise; the market is filled with a wide array of products with the same apparent functionality. Organisations will have existing infrastructure, systems, operational capabilities and business processes that need to be factored into the selection process. Historically, the operational environment may not have been designed with security in mind, often with no input from the security architecture team. By the time a security architect makes first contact with the business, an organisation may have undergone multiple rounds of mergers and acquisitions, spin-offs or reorganisations.
If part of an organisation has already implemented security solutions that have been proven to be effective, it tends to be less disruptive and more efficient to the business to expand and augment that solution across the wider organisation. It will still be necessary to regularly assess security solutions to ensure they remain suited to business requirements.
- Implement a layered defence approach, with the most valuable assets protected by more layers.
Implementing multiple protective layers will make an environment more challenging for attackers to penetrate, and require them to bypass multiple controls before they can reach their target. No defence is infallible, so even if some of the controls fail, there are other layers of resistance in place to either prevent an attack or provide defenders with sufficient time to detect an attack.
- Resist the shiny objects.
It is always tempting to spend on new 'toys' and request additional resources, but no organisation has unlimited resources for cyber security. Value from the existing toolset and resources should be maximised first. The resources spent on protection should be in proportion to the value of the assets they are safeguarding. Security toolsets and resources should also be reviewed regularly to ensure they continue to meet business and security requirements. This disciplined approach will provide structure and visibility, which will go a long way to ensure the right amount of security resources are in place.
For our board, unfortunately there is no prescriptive answer on the right solution to protect an organisation in the modern world. Along the way, difficult decisions will need to be made and there may be no straightforward answers; however, the above steps should help our C-suite rest easier.
Progress on all fronts will help an organisation's ability to recover from an incident. Cyber resilience must be considered as part of an organisation's security strategy. In the event of a breach, organisations need to ensure they are prepared to deal with the consequences. Recent incidents have shown that a prepared and orderly response will boost market and regulator confidence, and strengthen client loyalty.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.