It’s no secret that, as an industry, many organizations are failing when it comes to effective cybersecurity. The headlines are rife with data leaks, breaches, and ransomware incidents. That said, there are many organizations making incredible headway in building mature and effective cybersecurity programs. If you fall into the first category, we will take a look at some high-level fundamentals that should be present among nearly any organization to drive down risk.
Organizations of all shapes and sizes have to deal with security controls. Most organizations fall under a minimum of one, and often more, regulatory frameworks such as SOC2, HIPAA, HITRUST, PCI, FedRAMP, and more. Effectively implementing all of these security controls at scale can be challenging. Many of the frameworks include hundreds of controls and exponentially more when you account for sub-controls and implementation nuance.
A great place to start for any organization looking to get a baseline of cyber posture in place is the CIS Critical Security Controls. Formerly the SANS Top 20, the list of critical controls is now known as the CIS Critical Security Controls, and there are 18 of them on the list.
This includes absolutely fundamental areas such as hardware or software asset inventory, data protection, and access control among others. Without getting these fundamental controls in place and working effectively, it would be nearly impossible to have a basic level of assurance regarding the cybersecurity hygiene of your organization and digital assets.
While these are titled critical security controls and there are less than 20, even the most mature and capable cybersecurity programs still struggle to effectively do all 18 critical controls at scale, due to the dynamic and complex nature of most modern digital environments. However, failing to address these critical controls is comparable to negligence.
Next up is Vulnerability Management. This involves the practice of identifying, classifying, prioritizing, mitigating, and remediating vulnerabilities associated with your inventoried assets. Organizations of any industry, shape, or size must have a coherent and consistent process in place to deal with vulnerabilities.
Organizations must deal with vulnerabilities of all sorts, everything from misconfiguration and software vulnerabilities to policy and process gaps. Failing to have a robust and documented vulnerability management process and program means you will struggle to mitigate the vulnerabilities and effectively have an exponential attack surface for malicious actors.
This is also easier said than done in modern environments, made up of complex relationships with business partners, managed service providers, cloud service providers, and externally consumed software across the software supply chain. That said, it is still a key imperative to address.
Cybersecurity Risk Management
Last but not least is the area of cybersecurity risk management, which also involves the previous two items discussed. This is the process of prioritizing cybersecurity defense measures based on the projected adverse impact of threats relevant to your respective organization.
This generally involves understanding the threats involved, vulnerabilities present, probability of occurrence, and the potential impact. This can be contrasted against the security controls in place, which can often act as mitigating measures to ultimately reduce the overall risk.
There are a number of popular risk frameworks available as well, such as NIST’s Cybersecurity Framework, DoD’s Risk Management Framework, or more quantitative options, such as the FAIR Institute’s frameworks.
Regardless of the framework chosen, getting an understanding of your risk and how you’re managing it is key to improving your overall security posture and driving down risk that may impact your organization that exceeds your defined risk tolerance.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: