1 – Context is everything
If you were to read cybersecurity news (which if often not much more than marketing) you might think that you need to buy everything all at once and spend millions to protect data and systems that you might not even have. So, the first step is to understand your own business, so you have the context to make informed decisions. To do this I would recommend listing all services and processes involved in the operation of your business/organization. This includes service/product delivery, hiring, payroll, collaboration tools, cloud storage, you get the idea. Once you have that list, break them down into things you are directly responsible for (services and products) and things that are run or operated by a third party (like cloud services). Next define who owns the operation of each of these items and a backup for that person. For cloud services, who is responsible for administration and maintenance of the account (who pays the bills). Once you have this you will understand what the basic components used to run your business are. You should also know if there are any compliance drivers associated with your business. Building the context of your business also allows you to understand the threats that might be aimed at you.
2 – Who has access and how do they access your information
After you know what your business is made of, you need to understand how your employees and customers access them. Is the primary access via the internet? Are you completely cloud-based with employees and clients alike connecting via a third-party cloud interface (i.e., a website or other internet portal)? Understanding how connections to services, products and data are accomplished gives you visibility into where you might be vulnerable to attackers. For all organization owned assets an inventory should be made so you know what you can directly protect. You should also identify any non-corporate owned device that might be used to access organization data (phones and tablets) and ensure you know which employee is using what. Building a list of devices and associating the people they belong to and then combining this list with the services that are accessible to the open internet gives you your basic attack surface. You now know what to protect.
3 – Plan your security program and start the build
Once you know how your business operates, and how both employes and customers access your services (internal and external) you can start planning out your cybersecurity program. Most plans will start with high priority processes or services although you can also start planning with anything that would be considered low hanging fruit. In either instance, you should look at the relative impact on your overall security against your existing budget. Spending to have the most positive and practice impact on security keeps the security ball moving forward without breaking the bank. In most cases I would recommend investing in a good Endpoint Detection and Response (EDR) service or application. If you do not have staff to monitor or maintain look into an MDR (Managed Detection and Response) so that you also gain a team that can not only deploy and configure security tools, but also watch for significant events and then respond to them to keep your systems secure. Vulnerability scanning along with a good patching tool (and the staff to run it) is also very important.
Knowing what you need to buy and when you can buy it also allows you to jump ahead in the event of a security event.
4 – Run
This is when you start to purchase the planned tools, staff, and services that you identified in your plan. A methodical approach to bringing the new systems online will ensure that you are getting the security you need while not creating impacts to your operations. There is nothing more frustrating than having a major business impact because of an improperly deployed toolset. These impacts reduce confidence in the security team, the tool, and the effort in securing the environment. They can also lead to reluctance or resistance to future security related changes if there is a loss of revenue or perceived loss of revenue involved.
The four steps above are simplified, but they are still very valid. They allow any size organization to either build a security program or review and improve an existing one. As an example, once you have the context of your business you can allow that to inform a formal business impact analysis (BIA). This takes the listed processes and breaks them out into critical and supporting processes. From there you define what downtime to each would represent in terms of real money and reputational impact. This document is used to identify areas of improvement in redundancy or diversity for services and processes. A proper BIA is also used by insurance providers to determine how mature your business processes are. The Context phase could also include existing security tools and vendors to better understand if they are meeting your needs and allowing you to plan for replacement or improvement.
Far too many organizations have no idea on where to start with security, or how to improve existing programs. The steps above can allow you to start the continual process of building, reviewing, and improving your security program. Cybersecurity is a living item; it is never going to be done simply because the threat actors are never going to stop. However, if you build out a process of understand (context)-plan-build-run and keep this process going through changes in your operations and the threat landscape you can proactively start to reduce the risks and exposures to your organization.