
Drawing on the experiences of a twenty-year career in cybersecurity for government agencies and large commercial enterprises, Telos’ Vice President of Strategy and Cloud Steve Horvath offers some nuggets of wisdom for smaller organizations as they lay the ground work for effective cybersecurity operations.
Start with the NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) offers a wealth of information and tools for implementing security programs. The Computer Security and Applied Cybersecurity Divisions are known for numerous extremely detailed publications offering guidance to help security professionals reach a very high level of fidelity. The Cybersecurity Framework (CSF) is unique among NIST concepts for its brevity, clarity, and flexibility.
Easily understood and simple to implement, NIST CSF provides overwhelming value for both private and public sector organizations in its brief twenty pages. There are three things that I find particularly important. The NIST CSF:
- Puts everybody on the same page by providing a common lexicon. With a common language and defined terms, everyone can communicate clearly – from the security operations teams, actively engaged in keeping the organization safe, all the way up to the board, who determine security investment levels. They can speak a common-sense language that everybody is able to understand.
- Guides organizations through a gap analysis to improve security posture. It starts with an assessment of how the organization stacks up against a set of controls – a current-state snapshot of security posture – and provides clarity for developing a target-state vision. An analysis of the gap provides the insight to make good decisions about where to invest, whether in staff, technology, or training resources.
- Encourages organization-wide cyber maturity. It is all encompassing and looks holistically at an enterprise or program. NIST doesn’t like to call CSF a maturity model, but it does help an organization rank itself and identify where improvement is needed, based on feedback from internal assessments.
Automate what you can, carefully
The core tenets of cybersecurity have not changed in the twenty-two years since I started in this business. They may have evolved, but they still stand. The same tasks that ate up resources back then are still required today. Many effective automation tools have been developed and enhanced over time. They continue to get better and better.
Yet there are differing schools of thought regarding cybersecurity automation. In one school are those who are leery of giving technology the ability to “make decisions” on cybersecurity. Others think it’s not only more efficient but safe to employ technology to take action in defined circumstances, actions like closing a port, disconnecting a device, making a service unavailable, or changing permissions on the fly.
As is often the case with extremes, they’re both right. Yet each approach has its risks. Automated mediations must be combined with an understanding of risk within the context of the specific organization. What I see more often than not is well-meaning folks attempting to use this kind of automation without having a solid understanding of the risk posture of an organization.
Don’t skip the hard part
Taking the time to clearly identify business priorities as they relate to IT integrity will pay dividends in the long run. A concerted effort to walk through the NIST CSF process leaves the organization with a thorough understanding of its risk tolerance for various systems and data. You’ll know what’s the most valuable data, where it sits, and what systems are processing it. Only then is it wise to automate cybersecurity safeguards. But if this kind of automation is deployed without the context of what’s going on from an organizational risk perspective, it ends up causing problems.
With the proper groundwork in place, ongoing validation of security posture becomes simple. Automation tools can dramatically reduce the burden of compliance testing, documentation, and remediation.
It may well be true that no CISO or CIO will guarantee there will never be a breach.
Yet being able to show that the necessary checks are happening and that compliance with security standards is continually validated, cybersecurity professionals not only create peace of mind for the security team but make senior management feel more confident, knowing everything possible is being done, continuously, to keep core systems online to support mission and business priorities.