Operations

1/26/2015
01:45 AM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Building A Cybersecurity Program: 3 Tips

Getting from "we need" to "we have" a cybersecurity program is an investment in time and resources that's well worth the effort.

Implementing an effective cybersecurity program should be a top priority for every organization. But, depending on size, industry, and other factors, cybersecurity requirements are going to vastly differ from one organization to the next. How do you get from needing a cybersecurity program to having one? It takes a systematic approach. Here are some suggestions to get you started:

Information Security is not Cybersecurity
Every organization is going to speak a different language when it comes to security. What is important is that within each organization everyone speaks the same language. To level-set on what cybersecurity means, you have to first and foremost define what it is to your organization.

Contrary to public opinion, either inadvertently or not, “Information Security” and “Cybersecurity” are not the same thing. In fact, if you take a deeper look into both disciplines, it is clear that there are actually significant differences between the two. Essentially, InfoSec is anything involving the security of information or information systems regardless of state (e.g. physical = paper | digital = database). Cybersecurity is anything involving the security of information or information systems in a digital state (e.g. database, financial systems).

Based on this understanding, it is quite reasonable to say that cybersecurity is in fact a subset of Information Security.  You have now defined what cyber security means to your organization: the elements of InfoSec that are designed to safeguard digital assets and systems.

Laying the Groundwork
Your next step is to build on your definition by establishing a foundation for your program. In doing this, you don’t need to re-invent the wheel because there are several well established industry frameworks available to you, such as COBIT5, or the National Institute of Standards and Technology (NIST) Cybersecurity Framework which, in my opinion, provides the best foundation for a cybersecurity initiative .

As you work through your framework, you will probably find that many functions, categories or subcategories aren’t easily translatable into your organization. From this point, you’ll need to establish a correlation between the framework and your operational services. The Information Security Forum (ISF) Standards of Good Practice for Information Security provides an excellent reference for this exercise, after which you can figure out which operational services align with the scope of your cybersecurity definition. While working through this exercise, it is important to recognize that there are operational services aligning with your program that are supported by IT and/or business lines such as asset management, directory service administration, or software inventory.

Pulling together costs
You know what cybersecurity means to your organization, you’ve established a program using recognized industry frameworks/standards/etc., and all operational services have been aligned. It should be no surprise that at this point, executive management is going to ask the million dollar question: “How much do we spend on cybersecurity?”

No sweat! Having already mapped out the operational services that align to cybersecurity, you are in a much better position to justify your resource and operational budget allocations. However, from the granular perspective of operational services, presenting a breakdown of your cybersecurity program costing can be overwhelming. This is where the framework for operational service mapping comes into play.

At the highest level of the cybersecurity program are so-called ‘Control Objectives’ like ‘Security Operations’ or ‘Incident Management.’ Within each of the Control Objectives is where you find a subset of unique ‘Control Selections’ like ‘Secure Awareness Training’ or ‘Malware Protection Software.’ At the lowest level, within each Control Selection is where you have the many-to-many mapping of operational services like ‘ID Provisioning’ or ‘Web Application Protection’.

Your operational services all come with a total service cost separated into either overhead (people) or operational (software/hardware) expenses. For the total number of times an operational service is mapped into a Control Selection, you must divide that number into the total service cost. Using the mapping of Control Objectives, Selections, and Services you are now equipped to demonstrate the overall cost of your program.

Bottom line: Getting from “we need” a cybersecurity program” to “we have” one requires a serious investment in both time and resources. But once you’ve come to the end of the process, you will be able to say “Here’s how much we spend on cybersecurity” – and have the hard numbers to back it up.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JGarner721
100%
0%
JGarner721,
User Rank: Apprentice
1/28/2015 | 4:07:49 PM
Disagree but understand the stance
The most valuable asset to an organization is the informational assets. If what you describe is true, then the infrastructure is the only thing that is critical. But, every piece of hardware and software (endpoint devices, routers, anti-malware software and so on) are in place to ensure the confidentiality, integrity and availability of that information. If an organization understands the its informational assets an information security program is the starting point. That program would have the subset of a cyber security program. Otherwise, you are putting the cart ahead of the horse. I believe the discussion on cyber and information security is a positive process. I just find it interesting that everything you are referencing is addressed in current information security philosophy. Resilience and Incident response are key items addressed in CyberSecurity. These are already addressed with Business Continuity/Disaster Recovery programs and Emergency response and current Incident response elements. Where most organizations fall short is their ability to solicit intelligence, then use it for decision making and effectively forecast on their organizational threats. Two key components of any sound informational and cyber security program are; A comprehensive asset inventory and a risk assessment applied to those assets to determine the Risk Management strategy. Great Discussion!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/28/2015 | 11:19:21 AM
Re: Good pragmatic advice
Thanks Jason. Useful suggestions! 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
1/27/2015 | 6:59:42 PM
Re: Good pragmatic advice
Perhaps I can give a break down into the logic of how to arrive at a definition.

1) First of all is figuring our what "Cyber" is.  Cyber, as per Oxford, is anything "relating to or characteristic of the culture of computers, information technology, and virtual reality". In essence, this can be summed up to say that all things "cyber" is all things "digital" is all things "cybersecurity".

2) Second, the term "all things" has to be translated into relevant and meaningful entities for your organization.  In other words, "all things" has to be qualified into the assets and/or systems that must be safeguarded.

3) Third, what do we mean by "safeguarding"?  If we consider the S.T.R.I.D.E. Threat Model, there are essentially two major grouping that assets and/or systems must be safeguarded against: damage and/or unauthorized access

4) Lastly, how do we safeguard against damage and/or unauthorized access? Well, as with an Information Security program there has to be an integration of people, process, and technology.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 9:47:23 AM
Re: Good pragmatic advice
Thanks! Are you free to share what your organization used to define security -- or can you offfer a generic example of what might work for a particular industry...
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
1/27/2015 | 9:43:11 AM
Re: Good pragmatic advice
The trickest part is coming to end of job on defining what "Cybersecurity" is to an organization because of how it is being used interchangeably with "Information Security".  Getting over this speed bump requires that Stakeholders, such as InfoSec professionals and management, are aligned with what "Cybersecurity" means to your organization.  From here, everything afterwards falls into place because everybody is in agreement.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 8:50:20 AM
Good pragmatic advice
Great job on this blog, Jason. Wondering, in your experience, what is the trickest part of building a cybersecurity program -- and how did  you deal with the problem? 
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.