At LMG Security, we work with organizations whose cybersecurity programs span the whole spectrum of maturity levels – from organizations just getting started with cybersecurity program design, to those with mature, comprehensive cybersecurity programs in need of third-party testing and validation.
This blog is designed to help organizations in the early-to-mid range of the cybersecurity program design. This includes companies that are ready to structure existing controls into a comprehensive, enterprise-wide cybersecurity program, or those with a lot of good components in place already, who want to improve their cyber maturity.
We’ll take a look at 10 key areas you should be thinking about, and then touch on how to approach maturing and formalizing your program to improve your overall cybersecurity posture.
Popular Cybersecurity Program Design Tools
Known cybersecurity controls frameworks are great resources for cybersecurity program development. The NIST Cybersecurity Framework, NIST SP 800-171, and ISO 27001 are all comprehensive options. However, these frameworks are long and detailed, with 100+ individual controls each, so they may be overwhelming at this stage in your journey and better leveraged as references for best practices in specific control areas.
Top 10 Activities to Include in Your Cybersecurity Program Design
To provide a framework that may be more manageable for some organizations, our consultants used our knowledge of widely used frameworks, common threats, and best practices to identify 10 key activities we think are essential to include in your cybersecurity program.
- Ownership & Management: Who’s steering this ship? Effective cybersecurity program design requires consistent, visible management support and engagement. Your program also needs clear roles and responsibilities for cybersecurity tasks and program development. External resources should be used to support program development and continuous improvement.
- Asset Management: Securing your organization’s assets starts with knowing what is on your network, both hardware and software. Processes need to be established to manage the introduction of new assets and software, harden all assets, and to ensure secure destruction when assets are no longer needed.
- Software Lifecycle Management: Outdated and unpatched systems are easy targets for attackers. Establish regular processes for checking for and applying patches and have monitoring in place to ensure the processes are being followed as intended.
- Training: People are essential for securing an organization’s assets and data. It is important to equip them with awareness of common threats and how their actions and decisions play an essential role in the organization’s security. Building a security aware culture needs to be an ongoing effort, not just initial awareness training at onboarding.
- Access Control: Managing who has access to what data and systems is an essential component to protect the confidentiality, integrity, and availability of data. Effective access control must include both technical controls, such as strong passwords and multifactor authentication, as well as management processes such as access authorization, account review, and consistent steps for access termination.
- Confidentiality: First you need to identify what data is considered sensitive in your environment, and where is it stored. Then you can establish guidelines for who can access the data, and how the data is stored, transmitted, and destroyed.
- Availability & Continuity Planning: Cybersecurity is often focused on protecting sensitive information, but it also needs to consider what systems are critical for business operations, and how to ensure continued availability of those systems.
- Network Security: Secure network design, implementation, and management is essential to protect your systems, data, and organization. Network security considerations include architecture, boundary protections, change management, and the ongoing identification of vulnerabilities through regular scans or technical testing.
- Detection & Response: If your environment is experiencing a security threat, how will you know? Timely detection of unusual activity requires knowing what normal looks like for your environment, which can be supported by tools and monitoring, either managed internally or outsourced.
- Continuous Monitoring: Over time, how will you know if your cybersecurity program is working as intended and meeting the company’s needs? Continuous monitoring of cybersecurity controls and remediation efforts are important components to limiting cybersecurity risk. Internal reporting on monitoring efforts ensures organizational awareness of current risks and provide transparency regarding remediation efforts and outcomes.
Tips for Improving Your Cybersecurity Program
Now that you have a list of the activity areas, here are tips from our advisory team on how to mature your cybersecurity program and improve your overall cybersecurity posture:
- Consider addressing one topic at a time to keep the project manageable and ensure you can move each item forward at a good pace.
- Activity #1 Ownership & Management is the logical starting point for cybersecurity program design, as establishing management buy-in and support will form an essential foundation for your cybersecurity program design project.
- After that, pick the order that makes sense for your organization. Consider your mission, top cybersecurity concerns (i.e., sensitive data, system availability), and any history of incidents you want to prevent going forward, such as business email compromise or ransomware. Start with the topics that seem most impactful and relevant for your organization to be sure you gain high-value traction early in the project.
- Convene organizational stakeholders and those whose roles align with the activity to talk through existing controls and processes, as well as consider if they are meeting your organization’s cybersecurity needs. For example, #5 Access Control will need involvement from human resources, hiring managers, and the IT roles who grant access to systems and data.
- Consider if processes are followed consistently. We often encounter situations where processes are in place, but they are not always followed. Using #5 Access Control as an example, we may see delayed personnel separation notifications from human resources to the IT department, resulting in delays in IT disabling access to email and cloud applications, creating a risk of unauthorized access.
- Identify ways your processes could be improved. The inconsistent access control example may need a documented, required process plus training and spot checks to improve consistency. Reference known frameworks, like the NIST Cybersecurity Framework, for guidance in specific areas.
- Document it. Developing a written security program can feel daunting. I like to advise clients to keep it simple at first. Policies and program documentation don’t need to be formal or fancy to provide value. Start with simple checklists, or informal bullet points describing process and roles and responsibilities. Simple, shared documentation on these topics can go a long way in establishing a shared understanding of cybersecurity requirements and providing a reference for agreed-upon processes and standards.
We hope that these tips help you with your cybersecurity program design or growth. If this still sounds like a lot to tackle, LMG Security’s experienced consultants can help. Our advisory engagements start by understanding your organization’s mission, priorities, data, and environment. We then talk through existing processes and cybersecurity controls to identify any gaps, and make recommendations on your cybersecurity program design, as well as ways to reduce risk and improve your overall cybersecurity posture. Contact us if you would like help.