Information Security Programs: Where to Start?
Hack, breach, phishing, spear phishing, ransomware. These are all words that we hear in the news on a daily basis due to some sort of threat that exists in the world of technology and information security. Most organizations have compliance requirements that they must adhere to, whether that is HIPAA, PCI, or any other regulation, so they are “forced” to have some type of information security program in place. But what about organizations, as rare as they might be these days, that don’t have a compliance requirement hanging over them? Or what about a startup that wants to make security a priority out of the gate? Where do they begin and how should they start? While there are many different answers to this question, a great place to look first is the Center for Internet Security Critical Security Controls (for more detailed information, check out these previous blog posts: part 1, part 2, part 3, part 4). We are going to discuss a very high-level overview of these controls and invite you to register for our webinar next week on the recent changes to these controls.
What are the Center for Internet Security Critical Security Controls? Formerly known as the SANS Top 20, these controls are a prioritized, scrutinized, and supported set of controls that organizations can implement to assess and ultimately improve their cyberdefense strategy and position. This doesn’t mean that by implementing these controls makes you bulletproof, it means that you are more secure by having these controls, and MONITORING THESE CONTROLS, than not having them at all. The key to this entire information security program is to continually assess your security position, not just implement these controls, create a bunch of policies, and move on with your business. These are not the crock pot of information security where you “set it and forget it.” You need to constantly be assessing your business, systems, and resources to ensure these controls are working for you. With all that, there are 5 main “sections” of an effective IT security program or cyberdefense program, which are:
- Offense Informs Defense: Take information from actual attacks that have taken place and use that information to better structure your information security program against real, validated threats
- Prioritization: We will cover this in greater detail in a moment but organizations should invest in and focus on the controls that provide the most “bang for the buck” by reducing risk the most
- Metrics: Create common metrics so that all stakeholders both inside and outside an organization can be on the same page. These stakeholders might include C-level executives, IT staff, Auditors, and Security professionals
- Continuous Diagnostics and Monitoring: Remember the crock pot analogy from above? Same thing!
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to controls and related metrics
The order of the CIS Critical Security Controls is also important. This is not a random, guesswork approach at what order to put the controls in, rather it is a well thought out, detailed plan designed for quick wins. To illustrate this, the first 5 CSC’s are considered most important, foundational, and essential for any information security program out there. And want to hear the best part of all of this? The order can change when revisions come out. This speaks directly to the point above of offense informing defense. The order of these controls, as well as the details for implementing these controls, are subject to change based on the current threat landscape, hence the continuous diagnostics and monitoring suggestion.
Information Security is important, and possibly the biggest threat to businesses around the world in terms of retaining and gaining customers. In addition, from a vendor perspective, companies want to know that the organizations they choose to do business with take information security seriously. If you don’t have an information security program in place or are struggling with where to start, go to the Center for Internet Security Critical Security Controls and implement those first. This will give you a great starting point so you can do what matters most — securing your sensitive data!