After a number of significant cyber attacks last year, many organizations are looking for ways to make 2018 a “cyber secure” year. But coming up with a list of solutions to improve an organization’s security posture is no easy task.
An enterprise security program is a complicated mash of hardware, software, networks, configuration settings, and operational policies and procedures. There are numerous best practices and standards, and most have more than a dozen categories and hundreds of requirements encompassing technical, administrative and physical realms.
It is no wonder business leaders often seem uncertain about whether their cyber-security budgets are being spent on projects or technologies that really will make their data and systems more secure. A more simplified view is required.
One way to reduce the complexity is to step back and ask which cyber-security program requirements are critical to reducing risk, which are important to reducing risk, and which are basic requirements in reducing risk.
- The critical requirements of a security program are those that are essential in maintaining any semblance of a strong security posture and, if not performed, could result in significant harm to data, systems or the organization.
- The important requirements are essential, but if they are not performed or are partially performed, the harm may be less consequential than that flowing from critical requirements.
- The basic requirements are security program activities that are best practices but may result in less impact on the organization if they are not performed or are performed poorly.
These are generalizations, of course, but let’s consider some examples. Access controls are critical. If an organization does not have sufficient access control policies and procedures and supporting technologies in place, it will not be able to secure its data or systems, hold users accountable, or maintain accurate records for compliance and forensic purposes.
Equipment inventories are important. Companies should maintain an inventory of equipment provided to employees and check off return of equipment upon employee departure. If they do not, there is a risk that a phone or laptop might not be returned and some company data may be on it. This exposure is limited to internal individuals and may be mitigated by other controls, such as encryption and access policies.
Secured telecommunications cabling is a basic requirement. While it is always a best practice to secure telecommunications cabling against interference or damage, on the whole, most companies have little risk of their cabling being tampered with.
Organizations have limited resources for IT and cyber-security programs, and many executives do not fully understand what an enterprise security program really is or know what is required by best practices and standards. (For more on that, read my previous column “Starving Your IT Budget.”) In the face of an increasingly sophisticated threat environment, executives struggle with understanding which cyber-security activities will matter the most in defending against cyber attacks and protecting company assets.
As a general rule, if companies make sure they meet the critical requirements—and add a few important ones—they will have a strong cyber-security foundation on which to build and a decent chance of detecting, deterring and preventing cyber attacks. In a recent review of the 114 requirements for the ISO 27001 standard for information security, my team tagged 58 requirements as critical, 32 as important and 24 as basic.
From the 58 critical requirements, we identified the top 15 that we believe are essential activities for all cyber-security programs. If you undertake these cyber-security solutions, you’ll put your organization on stronger footing against cyber attacks in 2018.
When reviewing cyber-security budgets and resource allocations, executives should check to see how much of the funding is for activities on this list of resolutions. Management also now has a solid list of critical requirements they can refer to when discussing priorities with IT and security personnel. Agents and brokers also can use this information to better serve their clients and help them make informed decisions on managing cyber risks and improving their organization’s cyber-security posture.
Westby is CEO of Global Cyber Risk. firstname.lastname@example.org