Are you cyber resilient?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/are-you-cyber-resilient/article/456108/

> From day one, all CISOs are tasked with defining a cyber-security
resilience strategy. It must support ‘business-as-usual' but also provide a
clear vision for the future.

While the headlines continue to claim that cyber-security is now recognised
as a key risk on all executive risk registers, that doesn't necessarily
reflect the situation on the ground. Many organisations have a reactive
approach to security, one that focuses on fixing known risks and
fire-fighting. They tend to be heavily biased towards enhancing
technological capabilities coupled with some paper controls.

There's no arguing that technology is an important element of any
cyber-security strategy, but a resilient strategy also needs to include
both people and culture. There must be a balance between preventive,
detective and responsive mechanisms.

As a CISO, if you come to this conclusion then the next step is to think
about what programmes should be incorporated into your strategy.

First things first: get the basics right. The number of attacks can be
significantly reduced by implementing basic security hygiene practices such
as patch management, identity and access management, privileged access
control and security change management. These are the fundamentals that
must be covered before there is any further significant investment.

Secondly, if cyber-security is truly a board level risk then give it the
attention it deserves. Assign roles and responsibilities ideally with
CxO-level accountability, and adopt robust risk management processes to
ensure that risks are not only identified but also assessed for impact,
managed and subsequently owned. There needs to be meaningful metrics and
KPIs that monitor the success of the strategy and show where there's need
to invest additional time and effort.

Traditionally, security has been about protecting the perimeter and vital
applications. Although this is still relevant, CISOs need to be clear on
which data will be most appealing to hackers – essentially the ‘crown
jewels'. Implementing data loss prevention (DLP) technologies may provide a
quick-fix in terms of monitoring data on the network, but the organisation
will remain at risk without a clear understanding of the ‘crown jewels' and
who has access to it.

Culture is also crucial. Staff are typically the first and last line of
defence. Employees need to understand that they are part of the solution
and have a responsibility to the business. You don't want them to feel like
they are in a sandpit of protection provided by the organisation in which
they can do anything without consequence. It's also important to have a
non-punitive culture when people come forward with mistakes they've made.
Improving cultural awareness must focus on instilling behavioural change
that promotes extra vigilance, ownership and caution among staff.

Incident management is another element that must be covered off. There
should be a dedicated team and procedures in place that deal with handling
data breaches and cyber-attacks. Crucially, these must be regularly tested
too. Regulatory and legal obligations in the event of a breach must be
taken into account as well. The importance of a robust incident management
and response process cannot be overstated. Invest time in testing your
incident response capabilities and ensuring it is fit for purpose, before
it's too late.

Many data breaches go undetected for months, and by that time most of the
damage has been done. In the same way business intelligence enables
effective decision-making, sound security intelligence should enable
effective detection of threats and suspicious behaviour. This needs to look
beyond traditional perimeter and signature-based solutions and explore
analytics tools to discover suspicious behaviour, as well as unknown
threats using behavioural and heuristic mechanisms.

Data breaches or disclosures often occur due to the actions of internal
employees, which are very difficult to defend against. These are
individuals who have legitimate access to data yet, either maliciously or
by accident, cause a security incident to occur. The security strategy must
factor in the fact that not all attacks will be external in origin.

Threat actors – be they internal or external – will likely make many
attempts to steal data or compromise an organisation's assets for a variety
of reasons over the course of a CISO's tenure. A strategy should accept
that it will be impossible to defend against all of them successfully –
otherwise the strategy is destined for failure.

A CISO's cyber-security strategy should accept that breaches will occur.
The measurement of its effectiveness is the ability to detect, respond, and
remediate when a breach occurs, while preventing the majority of breaches
from happening.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!