Posted on February 14, 2017 by kellyk
There’s a tendency in the world of cybersecurity to skip over the foundations and move directly to technical solutions.
Organizations allocate huge sums to threat intelligence or detailed security analytics without performing foundational security practices that help identify how to allocate resources.
To ensure this doesn’t happen to your organization, it is essential to lay the proper groundwork for your cybersecurity initiative.
Where It All Starts: IT GRC
For those who aren’t aware, IT GRC stands for IT Governance, Risk, and Compliance. In the context of cybersecurity, this is the framework through which an organization systematically identifies, executes, and maintains the systems and processes necessary to keep its assets secure.
In basic terms, the individual components can be defined as:
Governance – Ensuring managerial oversight and direction exists
Risk – The process by which security risks are identified and mitigated
Compliance – The systems, policies, and processes you must have in place to satisfy industry-specific regulations
Unfortunately, IT GRC has a reputation for being boring or removed from the realities of day-to-day operations. In practice, though, IT GRC should be a set of living documents and processes that constantly adjusts to meet the needs of the organization.
To ensure your cybersecurity initiative actually keeps your organization’s systems and data safe, it’s essential you take IT GRC seriously.
Your Cybersecurity Governance Framework
In essence, governance is about making and carrying out cybersecurity decisions. Whether it’s selecting areas for investment or rethinking BYOD, your organization’s cybersecurity governance framework should dictate how, when, and by whom these decisions are made.
More specifically, governance includes three primary elements:
1. Roles & Responsibilities
Who precisely is responsible for each aspect of your organization’s cybersecurity? If each individual element of your security initiative is clearly defined and ‘owned’ the chances of a serious oversight are dramatically reduced.
For instance, which team or individual owns the process of remediating or accepting identified vulnerabilities? This responsibility could easily fall to either the security or IT operations teams, but not both as joint ownership of a process is far more likely to result in omissions.
Every one of your organization’s security policies should be documented, actively maintained, and easily accessible to relevant personnel. From security awareness to permission management to incident response, every security function should have a corresponding policy document.
But here’s the thing. A policy document doesn’t have to be hundreds of pages long. In many cases organizations unnecessarily complicate policy documents, and in the process make them tedious and difficult to maintain.
Easily the most under-implemented aspect of cybersecurity governance, audit is the process of reviewing existing policies, processes, and systems to ensure they are fit for purpose. This may seem arduous, but the value of audit is undeniable as any aspect of your security initiative that isn’t fit for purpose poses a significant risk to your organization.
Risk Determines Targeting
More than anything else, risk management should play a central role in planning your cybersecurity strategy. After all, without analyzing the risks posed by individual activities or attack vectors, how could you possibly know where best to invest your security budget?
Far too many organizations are persuaded to invest in specific technical security controls based purely on clever marketing campaigns or the latest headlines. But while multi-factor authentication or biometrics might make you feel more secure, it won’t do anything to protect against far more common issues such as phishing attacks or employee negligence.
By using a widely accepted risk assessment methodology such as that defined in NIST 800-30 you can systematically review your organization’s processes and identify the systems, processes, or attack vectors most likely to cause significant damage. Invariably, these are areas such as outdated software, employee negligence, or improper disposal of sensitive information.
And this is why using something like our free cybersecurity assessment tool can be so beneficial. Based on the NIST Cybersecurity Framework, the simple questionnaire can be completed in under an hour by a non-technical manager, and immediately highlights the areas of your security program that require investment.
Again, we’re not saying there’s anything wrong with advanced security controls like threat intelligence or endpoint security. These and many other controls can be tremendously effective at preventing breaches in security conscious organizations. The problem comes when investments are made into these advanced controls by organizations that don’t yet have the basics of security covered.
Compliance: Doing What You Have to Do
We’ve written a lot about compliance, not all of it is positive. But again, there’s nothing wrong with the concept of compliance frameworks… they just aren’t enough to ensure your organization remains secure.
Take HIPAA, for example, the healthcare industry's compliance framework. There’s nothing inherently wrong with the framework itself, but over the past decade healthcare organizations have been overly focused on compliance to the exclusion of all other security practices.
But compliance doesn’t equal security. In practice, compliance frameworks detail the bare minimum levels of security necessary for an organization to elevate itself beyond security negligence.
On the other hand, compliance is non-optional. Whether it’s PCI DSS for retail or FFIEC for financial institutions, any organization that routinely handles sensitive information will have compliance obligations of one sort or another. And naturally, a huge part of your IT GRC operations will center on ensuring these obligations are met.
What you must not do, however, is assume that compliance is enough. After all, most organizations’ security awareness training programs are compliant… but almost totally ineffective.
Building from the Ground up
Without a doubt, IT GRC lays the groundwork for securing your sensitive information. By systematically creating and reviewing the most effective policies, systems, and processes for your organization, you’ll dramatically improve your ability to minimize and respond to security incidents.
And of course, once you have the groundwork in place, and a strong understanding of your organization’s risk profile, you can start to invest your security budget in the most relevant technical security controls.
If your organization is in the healthcare industry and has a huge number of individual devices, endpoint security systems might well play a part in your long-term security plan. If you’re working on highly sensitive research, and have identified authentication spoofing is a major risk, multi-factor authentication might really be the best investment option.
But until you have a fully functional risk assessment framework in place, that includes a deep knowledge of your organization’s risk profile and compliance obligations, making these sorts of decisions is at best a stab in the dark.
To gain a better understanding of your organization’s security profile and identify areas that require improvement, check out our free cybersecurity assessment tools. We’ve created a separate tool to reflect each major compliance framework, so no matter your industry you can identify your organization’s main areas of security weakness in less than one hour.
Check out other posts in this series:
Cyber-attacks continue to pose a growing threat to organizations of all types and sizes. With cprlorca’s Cybersecurity Assessment Tool, your organization can quickly and easily evaluate your overall inherent risk and cybersecurity maturity.
Posted in Cybersecurity