Plotting the Path to a Mature Cyber Security Program
CIOs are painfully aware of the need to mature cyber security programs. The State of Security Operations Report 2016 found that only 15 percent of security operations are achieving recommended security maturity levels. Years of under spending on cyber security have left 85 percent of companies with inadequate cyber security defenses and significant risk exposure.
That 85 percent must mature their cyber security functions if they want to continue operating in an increasingly risky world. Indeed, a recent Cyber security Ventures report estimates that spending on cyber security will increase 12 to 15 percent; every consecutive year in the next five years. As enterprises invest in their cyber security functions, CIOs and CISOs must plot a clear path to maturity in order to make the most of their resources, and keep up with the ever-evolving threat landscape. So what does that path look like?
How Cyber Security Evolves:
An immature cyber security program operates within IT and focuses on the impact of cyber attacks on IT systems and infrastructure. It defends the perimeter and endpoints, and provides access management, but not much else. The program lacks resiliency, and struggles to address and recover from security incidents.
A robust internal awareness and training program is a mark of a mature cyber security program
In the next stage of development, cyber security expands its scope to preventative capabilities and proactive detection. Reaction to events is swift and geared toward prevention of outages and damage, containment, and remediation, rather than a purely IT-driven service restoration focus. Business continuity plans, begin to take cyber security incidents into account.
When a cyber security program reaches maturity, the focus has expanded to areas beyond IT, such as supply chain security, manufacturing operations, and third-party security controls validation, among other business functions. By now, cyber security teams are engaged with business operations, and are using a risk-based framework for prioritization and decision-making. Teams understand the objectives of both the business and the attackers, and are better equipped to disrupt attackers and build cyber resiliency.
A robust internal awareness and training program is another mark of a mature cyber security program. It provides year-round employee education to reduce the risk of negligent insider threats. The program uses a variety of tactics and communications channels–including web-based learning, social media, gamification, and face-to-face events–to reach a diverse internal audience.
Mastering Maturity with the 4Ps:
A truly developed cyber security program has mastered the core disciplines of prepare, protect, prevent, and preempt the 4Ps and has deployed effective capabilities in all four areas.
■ Protect: At its core, cyber security serves in a protective role. Much of this work is foundational capability consisting of well-known mechanisms and processes to protect assets, data, employees, and customers.
■ Prevent: Preventative capabilities are also foundational. They combat common security issues through action, such as vulnerability management, code reviews, firewall, and advanced intrusion prevention systems, as well as common anti-malware tools.
■ Prepare: Preparation requires an understanding of the business risks, the critical processes to reconstitute with urgency, and the deployment of playbooks, contingency plans, and incident response automation.
■ Preempt: Preemptive operational security capabilities mark a mature program. They target the adversary’s tools and tactics. Preemptive tactics are aimed at early detection, withstanding the attacks, restoring key operational capabilities, and evolving defensive approaches to disrupt current and future attacks.
Paying Down Risk Debt:
Of course, the path to maturity is rarely straight and smooth. In addition to ever-present funding and resource challenges, other road blocks inevitably surface. Case in point: the moment a cyber security team realizes that they’re wallowing in risk debt.
Companies often reach a point on the path to maturity where they experience an epiphany. In the midst of plotting capability investments and building teams, they realize that a considerable amount of unmitigated risk has gone unchecked for years, leaving it to accrue over time. To illustrate, a team may feel good about the 20 patches they deployed this month–until they remember that they’ve skipped the last 900 patches. Or, they discover that their legacy environment won’t support the latest and greatest security software.
Similar to technology debt, risk debt saddles companies with the burden of paying down the debt before, can move forward with future investments and achieve a truly mature cyber security program.
Risk debt arises from any number of business decisions made in the past. It could stem from shortcuts taken for business reasons, time of deployment of infrastructure and applications, or system choices made prior to the discovery of an associated risk. In addition, unseen risk debt can pop up at any time. For instance, retail breaches have brought to light vulnerabilities in point-of-sale systems that were previously unknown.
Remediating risk debt looks different for every company. Some of it may not be immediately fixable due to resource constraints and business needs, which renders the environment extra challenging for cyber security teams. However, in general, it starts with assessing the current environment, identifying critical assets, rooting out the unknown and prioritizing remediation. For example, at HPE, the team has spent years looking for systems hidden in closets, which they could see on the network, but had no idea where they were physically located, and they ran HPE Vertica Analytics to sleuth out unauthorized uses of IT resources. The team basically turned a giant flashlight on the company’s enormous global IT infrastructure, which was no simple task.
Cyber security professionals instinctually look ahead. They thrive on anticipating the next big threat and figuring out how to beat it. They want the shiny, new technology and to build the dream team of whiz kids. However, while looking forward to develop the 4P capabilities, they must also look backwards to identify and remediate risk debt. Only then can true cyber maturity be achieved.