While updating my requirements for a proper CyberSecurity posture, I remembered that companies now seek CISOs with leadership and business acumen skills first on the list. Considering the skills gaps that exist, this makes sense. It would help if you had someone you trust to deliver C-level messages. Hence, you find a talented employee in another department with flexibility and an insatiable thirst for knowledge.
With that in mind, the must-haves of Cyber Security protection will contain no acronyms or mention of products and solutions providers. Instead, the goal is to allow CISOs to gain a top-level view and help prioritize needs.
My first recommendation is to have an incident response plan. It takes time to deploy the critical layers of preventing cyber attacks so plan your response now.
Next, I recommend alignment with insurance and stakeholder requirements. Contact your CyberSecurity insurance carrier and verify whether a claim will be honored or declined based on your current environment. Also, what role will they play when something does happen Once your know those parameters, you move on the next step.
Communication and Reporting to meet everyone needs.
Insurance carriers, industry compliance, and stakeholders respond better when informed of your current roadmap status before an incident. Make sure you address gaps between expectations and reality.
Once you have a plan and support from the decision-makers, your job is secure for another 30 days. Just kidding, don't worry. We will get thru these daunting tasks soon enough.
Ok, we move on the actual technical layers of CyberSecurity.
A well-tested backup and data recovery system must exist that answers the following questions. You need three types of backups.
One set of backups in the cloud in Immutable version.
Immutability refers to a set of files that cannot be modified outside a policy that states when changes are allowed. This is best for Ransomware attacks when your backups cannot allow encryption or deletion until x number of days/months/years expire.
One set of backups on-site and encrypted and one set off-site and isolated from your existing networks.
How long will it take to recover your data if something happens tomorrow?
PLEASE know that answer, and do not assume without actual testing data recovery times.
Testing means if the first two attempts at recovery fail, how long will the third method take? The technique involves your data being offsite and offline and then converted to an online user-verified level of productivity.
With the knowledge fresh from a disaster recovery exercise, you will want to begin employee training on resisting clicking on links or files. Identifying the employees that simply cannot resist acting on questionable emails requires you to create a process to follow as they come across any new links or attachments. Forwarding suspicious emails to a help desk for testing and validation take the pressure off them to make a quick decision.
As you test and teach employees, you're also tweaking your email filtration systems to get smarter and safer. If something suspicious is suspected, you will need someone qualified to inspect your network and internet traffic for abnormal activity.
What is good activity and what is bad?
Reference points from vulnerability and pen testing will help you understand typical activity and what requires investigation.
Once you know what good traffic is, you can deploy Zero Trust networking to prevent unwanted traffic to local network resources. A compromised local device or login endangers your cloud based resources also,
Protecting your cloud resources requires strong password managment, 2FA, VPNs and Identity management to verify that connections outside your network are trusted. Speaking of trusted
Sources: Supply Chain accountability
Prepare a list of all vendors that occasionally require remote access.
Prepare a list of your entire supply chain and create a process to verify identity if the event one of them is compromised. Ask each vendor to detail the security layers they use to protect you from any incident on their side,
As you add layers to your security, ensure each layer can send logs to your Security Operations Team. They will need visibility into each layer when tracking down suspicious activity.
If you have a remote workforce, ensure they automatically connect to your "safe network" that provides a cloud-based firewall to protect their traffic wherever they may be.
So, at this point, you know how much it may cost to deploy all the layers of protections needed, fill gaps identified by outside testers, and you're blocking any unwanted traffic by default. Your employees are improving safety as they learn to play on your team. Stakeholders are receiving progress reports, and communication is improving. You feel confident that qualified experts respond to attacks with a rehearsed plan, your data is recoverable, and the costs are reimbursable with insurance.
Because you acted expeditiously, some of the layers will be outsourced expertise. You can now begin evaluating how much of this you want to bring in-house and whether it will improve your cost or liability stance.
Some of these layers of security will overlap with others in features as vendors work to gain market share.
To minimize overlap and expense, look for cybersecurity vendors that will manage many, if not all, of these layers and give you one monthly budget item. Work with vendors that will allow you to substitute your favorite layer for one of theirs and coach your team to manage as many layers as you eventually feel comfortable with it.
There should always be some division of responsibility to place liability where it belongs. Working security areas beyond your validated skillset result in denied claims. Typically, managed endpoints and 24/7 traffic monitoring and response teams require very specialized cyber security certifications. It's ok to know that you don't know it all. Most specialized security providers are ok with cross-checking each other's work so you will know everyone's doing their job. Your most crucial expense line items are usually labor-intensive items that even the best AI cannot automate. AI is playing an ever-increasing role in CyberSecurity, but don't let stakeholders tell you to wait until AI fixes all the cyber-attacks. You will be waiting in the wrong line for a paycheck as the bad actors also use AI, so the cat-and-mouse game continues.
The bottom line is that the bad guys can buy and test everything you can, so you must focus on detecting abnormal activity and know how to see thru the fog and hear thru the noise. Minimizing damage and recovering data will give you the confidence to communicate a positive message to stakeholders and keep your team productive and happy.