Operations

1/26/2015
01:45 AM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Building A Cybersecurity Program: 3 Tips

Getting from "we need" to "we have" a cybersecurity program is an investment in time and resources that's well worth the effort.

Implementing an effective cybersecurity program should be a top priority for every organization. But, depending on size, industry, and other factors, cybersecurity requirements are going to vastly differ from one organization to the next. How do you get from needing a cybersecurity program to having one? It takes a systematic approach. Here are some suggestions to get you started:

Information Security is not Cybersecurity
Every organization is going to speak a different language when it comes to security. What is important is that within each organization everyone speaks the same language. To level-set on what cybersecurity means, you have to first and foremost define what it is to your organization.

Contrary to public opinion, either inadvertently or not, “Information Security” and “Cybersecurity” are not the same thing. In fact, if you take a deeper look into both disciplines, it is clear that there are actually significant differences between the two. Essentially, InfoSec is anything involving the security of information or information systems regardless of state (e.g. physical = paper | digital = database). Cybersecurity is anything involving the security of information or information systems in a digital state (e.g. database, financial systems).

Based on this understanding, it is quite reasonable to say that cybersecurity is in fact a subset of Information Security.  You have now defined what cyber security means to your organization: the elements of InfoSec that are designed to safeguard digital assets and systems.

Laying the Groundwork
Your next step is to build on your definition by establishing a foundation for your program. In doing this, you don’t need to re-invent the wheel because there are several well established industry frameworks available to you, such as COBIT5, or the National Institute of Standards and Technology (NIST) Cybersecurity Framework which, in my opinion, provides the best foundation for a cybersecurity initiative .

As you work through your framework, you will probably find that many functions, categories or subcategories aren’t easily translatable into your organization. From this point, you’ll need to establish a correlation between the framework and your operational services. The Information Security Forum (ISF) Standards of Good Practice for Information Security provides an excellent reference for this exercise, after which you can figure out which operational services align with the scope of your cybersecurity definition. While working through this exercise, it is important to recognize that there are operational services aligning with your program that are supported by IT and/or business lines such as asset management, directory service administration, or software inventory.

Pulling together costs
You know what cybersecurity means to your organization, you’ve established a program using recognized industry frameworks/standards/etc., and all operational services have been aligned. It should be no surprise that at this point, executive management is going to ask the million dollar question: “How much do we spend on cybersecurity?”

No sweat! Having already mapped out the operational services that align to cybersecurity, you are in a much better position to justify your resource and operational budget allocations. However, from the granular perspective of operational services, presenting a breakdown of your cybersecurity program costing can be overwhelming. This is where the framework for operational service mapping comes into play.

At the highest level of the cybersecurity program are so-called ‘Control Objectives’ like ‘Security Operations’ or ‘Incident Management.’ Within each of the Control Objectives is where you find a subset of unique ‘Control Selections’ like ‘Secure Awareness Training’ or ‘Malware Protection Software.’ At the lowest level, within each Control Selection is where you have the many-to-many mapping of operational services like ‘ID Provisioning’ or ‘Web Application Protection’.

Your operational services all come with a total service cost separated into either overhead (people) or operational (software/hardware) expenses. For the total number of times an operational service is mapped into a Control Selection, you must divide that number into the total service cost. Using the mapping of Control Objectives, Selections, and Services you are now equipped to demonstrate the overall cost of your program.

Bottom line: Getting from “we need” a cybersecurity program” to “we have” one requires a serious investment in both time and resources. But once you’ve come to the end of the process, you will be able to say “Here’s how much we spend on cybersecurity” – and have the hard numbers to back it up.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JGarner721
100%
0%
JGarner721,
User Rank: Apprentice
1/28/2015 | 4:07:49 PM
Disagree but understand the stance
The most valuable asset to an organization is the informational assets. If what you describe is true, then the infrastructure is the only thing that is critical. But, every piece of hardware and software (endpoint devices, routers, anti-malware software and so on) are in place to ensure the confidentiality, integrity and availability of that information. If an organization understands the its informational assets an information security program is the starting point. That program would have the subset of a cyber security program. Otherwise, you are putting the cart ahead of the horse. I believe the discussion on cyber and information security is a positive process. I just find it interesting that everything you are referencing is addressed in current information security philosophy. Resilience and Incident response are key items addressed in CyberSecurity. These are already addressed with Business Continuity/Disaster Recovery programs and Emergency response and current Incident response elements. Where most organizations fall short is their ability to solicit intelligence, then use it for decision making and effectively forecast on their organizational threats. Two key components of any sound informational and cyber security program are; A comprehensive asset inventory and a risk assessment applied to those assets to determine the Risk Management strategy. Great Discussion!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/28/2015 | 11:19:21 AM
Re: Good pragmatic advice
Thanks Jason. Useful suggestions! 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
1/27/2015 | 6:59:42 PM
Re: Good pragmatic advice
Perhaps I can give a break down into the logic of how to arrive at a definition.

1) First of all is figuring our what "Cyber" is.  Cyber, as per Oxford, is anything "relating to or characteristic of the culture of computers, information technology, and virtual reality". In essence, this can be summed up to say that all things "cyber" is all things "digital" is all things "cybersecurity".

2) Second, the term "all things" has to be translated into relevant and meaningful entities for your organization.  In other words, "all things" has to be qualified into the assets and/or systems that must be safeguarded.

3) Third, what do we mean by "safeguarding"?  If we consider the S.T.R.I.D.E. Threat Model, there are essentially two major grouping that assets and/or systems must be safeguarded against: damage and/or unauthorized access

4) Lastly, how do we safeguard against damage and/or unauthorized access? Well, as with an Information Security program there has to be an integration of people, process, and technology.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 9:47:23 AM
Re: Good pragmatic advice
Thanks! Are you free to share what your organization used to define security -- or can you offfer a generic example of what might work for a particular industry...
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
1/27/2015 | 9:43:11 AM
Re: Good pragmatic advice
The trickest part is coming to end of job on defining what "Cybersecurity" is to an organization because of how it is being used interchangeably with "Information Security".  Getting over this speed bump requires that Stakeholders, such as InfoSec professionals and management, are aligned with what "Cybersecurity" means to your organization.  From here, everything afterwards falls into place because everybody is in agreement.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 8:50:20 AM
Good pragmatic advice
Great job on this blog, Jason. Wondering, in your experience, what is the trickest part of building a cybersecurity program -- and how did  you deal with the problem? 
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...
CVE-2018-11239
PUBLISHED: 2018-05-19
An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in ...