As we bid farewell to the final days of 2016, it’s time to start looking ahead to the New Year and what we hope to accomplish within the next 365 days. Year after year, some Chief Information Security Officers (CISOs) set lofty goals of securing all data to fullest extent wherever it resides in their company’s network. However, as many New Year resolutions go, these aspirations often fall because they’re not founded on sound enterprise risk management principles.
Due to the dynamic nature of the threat landscape we see today, adopting and adhering to a robust enterprise risk management framework is critical to the success of any modern cybersecurity program. There are many risk management frameworks, however the one I like best is the NIST Cybersecurity Framework. The strength of the CSF is the alignment of all the NIST/ISO/COBIT/ISA/CCS security control families to five basic principles or strategic outcomes that every cybersecurity program should have or improve (Identify, Protect, Detect, Respond, Recover). More and more CISOs are using the CSF today but to help those who are still on the fence, I’ve outlined five tips all CISOs should prioritize when setting their resolutions on January 1.
|1. Become the Hunter (Identify). Advanced attacks are no longer the sole domain of cyberespionage and nation-state groups. Cybercriminal groups have significantly improved their tactics and tools thanks to a robust cybercriminal underground. Advanced attacks against enterprises will continue to steadily increase and become more sophisticated as cybercriminals continue to develop new threats. Adopting a hunter-team program within your organization to proactively identify threats and attacks will secure your company in the long run. Threat actors will never stop evolving so why should you and your team.
2. Educate and protect privileged users (Protect). Human error is the weakest link to any network, but employees can’t be vigilant if they don’t know what to look out for. Whether it’s a ransomware attack, a business email compromise (BEC) scam or a targeted attack, users behind the keyboard are often unknowingly in the crosshairs of cybercriminals. CISOs must develop an executive training program focused on advanced threats. Creating awareness of the latest attack methods and educating executives and privileged users on what types of suspicious activity to be aware of will lessen the chances of a successful attack at the hands of unsuspecting employees.
3. Protect users at the endpoint (Protect). While there is no silver bullet when it comes to cybersecurity, the first step is to protect your users where they live at the endpoint. With the exponential growth of ransomware threats we experienced this year, as well as the advanced threats we predict to see in 2017, a layered connected threat defense is a must. Begin with endpoints to safeguard against many of the vectors cybercriminals use to access an organization, such as spam, phishing attacks and malicious web downloads.
4. Improve resiliency by speeding up detection and patching (Detect). Ultimately, only by knowing the threats you face and the vulnerabilities that you have can you be resilient against all attacks. Cybercriminals use exploit kits to take advantage of holes in an organization’s IT environment to deliver malware and other attacks, ultimately compromising business operations, sales and sensitive company data. Vulnerabilities are ever-present throughout enterprise networks, but the faster they are detected, and the more resilient your company becomes, the more likely you are to mitigate further risks.
5. Assume all attacks are not final (Respond/Recover). Companies and organizations often falsely believe that responding to an incident and or patching a vulnerability means they’ve fully eliminated the threat. However, you can never assume your job is complete. Due to the growing number of multi-stage and multi vector attacks, cybercriminals are able to compromise more network infrastructure and dwell longer leading to higher losses. Therefore, constant vigilance is required at the response and recovery phases from both CISOs and their teams.
The persistent goal of any CISO should be to continuously manage enterprise risk. Each of these tips I hope will help you develop the resolutions you need to achieve your cybersecurity goals for 2017 but more importantly start you on a path to create a culture of security throughout your organization from the boardroom to the server room but even down to the break room.