New Year’s resolutions always start with gusto. As time passes and obstacles arise, resolutions tend to fade before they are achieved. Soteria is here to guide you towards a sustainable resolution and successful start to the new year and decade that will help your organization grow its security capabilities at an achievable rate. If you are uncertain where to start or want to add to your list of security goals Soteria recommends considering the following:
Gain an understanding of your risk. There are a variety of methods to understand your organization’s threat exposure and regulatory compliance requirements. Soteria recommends that a nascent security program conduct a general security assessment to gauge the organization’s security capabilities. A more mature security program, such as one with a team to mitigate vulnerabilities, may perform a penetration test to identify more granular flaws in the IT infrastructure. External penetration tests may satisfy regulatory requirements for annual obligations. A more advanced security program may want to consider a penetration test on the internal network and wireless environments. This will provide more information that will illustrate how big the impact could really be if a compromise were to occur.
Engage employees with security training that illustrates and defines their role in securing the organization. E-learning can be an effective training model but may also prompt eyerolls and groans from employees. Soteria recommends other effective options to ensure your employees are not just ‘clicking through’ training. Social Engineering Training tests your employees reporting and response efforts when it comes to activities such as phishing or vishing. With a post-test training session to explain the latest phishing trends and reveal the signs employees should have seen in the phishing test, employees are involved into a deeper discussion that affirms their critical roles in ensuring the security of the organization.
Enhance your organization’s response capabilities by conducting Tabletop Exercises with your full response team. These exercises bring all responsible decision makers (yes it’s more than just IT!) including compliance, legal, media and marketing, IT, security, and the C-suite to the table to run through tough questions such as “Do we pay the ransomware?” and “How do we tell our clients?” and result in informed decision-making without the pressure of a real incident. Pre-determining, practicing, and documenting decision-making and team coordination will streamline response activities that should reduce impact and response time in the event of a real security incident.
Conduct a Business Impact Analysis to understand your critical systems. Evaluate the business impact of operations and systems to determine which systems are critical for the business to continue functioning. This will allow your organization to understand which systems need to be prioritized from a security and availability perspective. Once these systems are identified Soteria recommends implementing controls that provide the appropriate level of security, and developing and rehearsing contingency plans for when failure happens. Seek executive-level agreement on maximum acceptable data loss for these critical systems and ensure that your backups are executed accordingly.
Outline metrics, against which you can measure your security program. Meaningful measurement of information security efficacy can be difficult beyond tracking the number of security alerts, events, or incidents. If solely tracking alerts, events, or incidents, information security communications with management may only occur when there is an event or incident. Maintaining security program metrics can help clarify where you need to improve and provide justification for resource requests. Two metrics Soteria recommends starting with:
Recovery Time Objectives – Use your Business Impact Analysis or start by reviewing the criticality of each system with your stakeholders. Combined with your response and restoration capabilities, enhance your Business Continuity and Disaster Recovery plan by defining Recovery Time Objectives (RTO) for important systems. Mitigate any RTOs unacceptable to stakeholders, or gain business acceptance of the risk.
Capability Maturity Model – Using your security program’s framework (i.e. ISO, NIST, CIS) assign a score for each security domain (i.e Vulnerability Management, Governance, Data Security) to your security capability, defined as Optimized, Quantified, Defined, Managed, Initial, or Ad Hoc. Capability scoring can be applied more granularly to the technical or process controls, depending on how advanced your security program is. This can be useful when setting program improvement goals, as you can move a capability up to a specific maturity level.
Example of a Capability Maturity Model for Vulnerability Management
Have a backup plan. If Soteria can share one hard lesson learned from our clients in 2019, it’s from the many unfortunate ransomware incidents and the importance of having secured offline backups. Making sure your organization can recover from ransomware by having clean backups may help secure the future of your organization. To learn more about what it means to have clean backups check out Soteria’s guide ‘The Backup Plan’
Develop your security program in phases, as building a secure environment is more of a journey than a destination. While these recommendations are great to achieve in 2020, Soteria recommends building multi-year security strategies with long-term goals, and prioritizing and organizing the short-term wins to achieve larger goals over time. Soteria is here to guide you in building a security strategy that reduces your organization’s risks while continuously growing your security capabilities.