Operations

1/26/2015
01:45 AM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Building A Cybersecurity Program: 3 Tips

Getting from "we need" to "we have" a cybersecurity program is an investment in time and resources that's well worth the effort.

Implementing an effective cybersecurity program should be a top priority for every organization. But, depending on size, industry, and other factors, cybersecurity requirements are going to vastly differ from one organization to the next. How do you get from needing a cybersecurity program to having one? It takes a systematic approach. Here are some suggestions to get you started:

Information Security is not Cybersecurity
Every organization is going to speak a different language when it comes to security. What is important is that within each organization everyone speaks the same language. To level-set on what cybersecurity means, you have to first and foremost define what it is to your organization.

Contrary to public opinion, either inadvertently or not, “Information Security” and “Cybersecurity” are not the same thing. In fact, if you take a deeper look into both disciplines, it is clear that there are actually significant differences between the two. Essentially, InfoSec is anything involving the security of information or information systems regardless of state (e.g. physical = paper | digital = database). Cybersecurity is anything involving the security of information or information systems in a digital state (e.g. database, financial systems).

Based on this understanding, it is quite reasonable to say that cybersecurity is in fact a subset of Information Security.  You have now defined what cyber security means to your organization: the elements of InfoSec that are designed to safeguard digital assets and systems.

Laying the Groundwork
Your next step is to build on your definition by establishing a foundation for your program. In doing this, you don’t need to re-invent the wheel because there are several well established industry frameworks available to you, such as COBIT5, or the National Institute of Standards and Technology (NIST) Cybersecurity Framework which, in my opinion, provides the best foundation for a cybersecurity initiative .

As you work through your framework, you will probably find that many functions, categories or subcategories aren’t easily translatable into your organization. From this point, you’ll need to establish a correlation between the framework and your operational services. The Information Security Forum (ISF) Standards of Good Practice for Information Security provides an excellent reference for this exercise, after which you can figure out which operational services align with the scope of your cybersecurity definition. While working through this exercise, it is important to recognize that there are operational services aligning with your program that are supported by IT and/or business lines such as asset management, directory service administration, or software inventory.

Pulling together costs
You know what cybersecurity means to your organization, you’ve established a program using recognized industry frameworks/standards/etc., and all operational services have been aligned. It should be no surprise that at this point, executive management is going to ask the million dollar question: “How much do we spend on cybersecurity?”

No sweat! Having already mapped out the operational services that align to cybersecurity, you are in a much better position to justify your resource and operational budget allocations. However, from the granular perspective of operational services, presenting a breakdown of your cybersecurity program costing can be overwhelming. This is where the framework for operational service mapping comes into play.

At the highest level of the cybersecurity program are so-called ‘Control Objectives’ like ‘Security Operations’ or ‘Incident Management.’ Within each of the Control Objectives is where you find a subset of unique ‘Control Selections’ like ‘Secure Awareness Training’ or ‘Malware Protection Software.’ At the lowest level, within each Control Selection is where you have the many-to-many mapping of operational services like ‘ID Provisioning’ or ‘Web Application Protection’.

Your operational services all come with a total service cost separated into either overhead (people) or operational (software/hardware) expenses. For the total number of times an operational service is mapped into a Control Selection, you must divide that number into the total service cost. Using the mapping of Control Objectives, Selections, and Services you are now equipped to demonstrate the overall cost of your program.

Bottom line: Getting from “we need” a cybersecurity program” to “we have” one requires a serious investment in both time and resources. But once you’ve come to the end of the process, you will be able to say “Here’s how much we spend on cybersecurity” – and have the hard numbers to back it up.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JGarner721
100%
0%
JGarner721,
User Rank: Apprentice
1/28/2015 | 4:07:49 PM
Disagree but understand the stance
The most valuable asset to an organization is the informational assets. If what you describe is true, then the infrastructure is the only thing that is critical. But, every piece of hardware and software (endpoint devices, routers, anti-malware software and so on) are in place to ensure the confidentiality, integrity and availability of that information. If an organization understands the its informational assets an information security program is the starting point. That program would have the subset of a cyber security program. Otherwise, you are putting the cart ahead of the horse. I believe the discussion on cyber and information security is a positive process. I just find it interesting that everything you are referencing is addressed in current information security philosophy. Resilience and Incident response are key items addressed in CyberSecurity. These are already addressed with Business Continuity/Disaster Recovery programs and Emergency response and current Incident response elements. Where most organizations fall short is their ability to solicit intelligence, then use it for decision making and effectively forecast on their organizational threats. Two key components of any sound informational and cyber security program are; A comprehensive asset inventory and a risk assessment applied to those assets to determine the Risk Management strategy. Great Discussion!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/28/2015 | 11:19:21 AM
Re: Good pragmatic advice
Thanks Jason. Useful suggestions! 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
1/27/2015 | 6:59:42 PM
Re: Good pragmatic advice
Perhaps I can give a break down into the logic of how to arrive at a definition.

1) First of all is figuring our what "Cyber" is.  Cyber, as per Oxford, is anything "relating to or characteristic of the culture of computers, information technology, and virtual reality". In essence, this can be summed up to say that all things "cyber" is all things "digital" is all things "cybersecurity".

2) Second, the term "all things" has to be translated into relevant and meaningful entities for your organization.  In other words, "all things" has to be qualified into the assets and/or systems that must be safeguarded.

3) Third, what do we mean by "safeguarding"?  If we consider the S.T.R.I.D.E. Threat Model, there are essentially two major grouping that assets and/or systems must be safeguarded against: damage and/or unauthorized access

4) Lastly, how do we safeguard against damage and/or unauthorized access? Well, as with an Information Security program there has to be an integration of people, process, and technology.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 9:47:23 AM
Re: Good pragmatic advice
Thanks! Are you free to share what your organization used to define security -- or can you offfer a generic example of what might work for a particular industry...
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
1/27/2015 | 9:43:11 AM
Re: Good pragmatic advice
The trickest part is coming to end of job on defining what "Cybersecurity" is to an organization because of how it is being used interchangeably with "Information Security".  Getting over this speed bump requires that Stakeholders, such as InfoSec professionals and management, are aligned with what "Cybersecurity" means to your organization.  From here, everything afterwards falls into place because everybody is in agreement.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 8:50:20 AM
Good pragmatic advice
Great job on this blog, Jason. Wondering, in your experience, what is the trickest part of building a cybersecurity program -- and how did  you deal with the problem? 
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.