Building a Foundation: Your Cybersecurity Program

Tactics without strategy is the noise before defeat.

- Sun Tzu

As a leader in your organization, you probably know at least two things about cybersecurity:

• When you read the news every day, there is almost guaranteed to be a report about a company being attacked or breached.
• Everyone talks about what to do about it, but the amount of information feels overwhelming.

You may be familiar with the concept of a cybersecurity program as a way to address these challenges, and may even have one of your own in the works.

A well-designed security program is much more than a collection of policies and tools. It’s about understanding what is truly important to the business and creating a security culture across your organization.

What is a Security Program?

A security program is a tactically-oriented set of policies, procedures, and technology that allow for an organization to protect the confidentiality, integrity, and availability of its data. Such a program also includes an appropriate governance structure as well as the organization’s culture when it comes to security.

Let’s dive into each of these facets:

Governance

Ensuring the proper level of oversight and engagement for your security program is vital to making it successful. While the saying “security is everyone’s responsibility” sends a constructive message, it is still important to identify clearly who is responsible for what tasks when it comes to protecting the business’s data.

A well-structured governance system will describe:

• Who “owns” each policy and is responsible for its enforcement
• How frequently do policies and procedures need to be reviewed and updated
• What are the consequences for non-compliance with these requirements

Identifying the correct people within the organization to own and implement your program is absolutely vital. And your security strategy will help you determine the appropriate stakeholders.

Policies

Policies are written expressions of a company’s stance on specific security topics. Generally written at a high level without focus on specific tools or techniques, policies clearly define the business’s objectives and requirements when it comes to things like:

• Access management 
• Third-party security management
• Business continuity and disaster recovery (BC/DR)
• Acceptable use

In addition to providing clear direction to everyone in the organization as to its goals and standards of acceptable behavior, policies are required by an array of compliance frameworks such as the NIST Cybersecurity Framework (CSF) and SOC 2. Your security strategy, however, will drive how you draft your policies and what frameworks you pursue.

Procedures

At a more granular level, procedures explain to individual team members how to accomplish specific tasks in line with the company’s policies. They may explain how to do things like:

• Create a user account for a new user and enforcing multi-factor authentication (MFA)
• Analyze the cyber risk posed by a vendor prior to signing a contract
• Restore data from a backup during an emergency
• Employee storage and use of company information

Security procedures are step-by-step playbooks and checklists that allow individual contributors to accomplish discrete tasks. Ensuring procedures align with your policies and, ultimately, your security strategy, is key.

Technology 

Cybersecurity is a relatively technical discipline that requires specialized software in many cases. With that said, it’s important to not get wrapped around the axle when analyzing different products and services offerings. More than ever, the unique security needs of companies vary by their size, industry, IT infrastructure, technical resources, and budget. 

Some common tools that most organizations should consider, include:

• Multi-Factor authentication (MFA) - requires users to provide multiple forms of identification before accessing a system or application, making it more challenging for hackers to gain unauthorized access.
• Mobile device management (MDM) - allows the company’s information technology (IT) team to remotely update, lock, and even wipe the data from all devices with access to its network.
• Endpoint detection and response (EDR) - security software that detects and helps respond to potential security threats on servers and workstations.
• Asset inventory management - the process of identifying and tracking all the known hardware and software assets on a network or within an organization for security purposes. 

The exact number, type, and sophistication of the tools you use, though, will depend heavily on the threats you face and the resources available to you. Addressing these issues are a key component of a security strategy.

Culture

The effectiveness of a business’s cybersecurity program depends on more than just written documents and IT and security tools. Organizations must ensure that employees understand how cybersecurity contributes to organizational success and that stakeholders and individual contributors are prepared to fulfill their respective roles.

How well a business weathers the security challenges facing it depends heavily on things like:

• Frequency of employee security awareness training to encourage safe practices at home and at work
• Simulated phishing exercises that help train employees to identify phishing emails 
• Incentivizing consistent reporting of suspicious email messages to the IT or security team

While it's relatively easy to document cybersecurity requirements for employees and contractors, ensuring their consistent compliance is a challenge. Fostering a strong cybersecurity culture is critical for an effective cybersecurity program, which requires a well-developed cybersecurity strategy.

Where Security Programs Fall Short

While a cybersecurity program is absolutely necessary for any modern business, it is by no means sufficient. It is generally difficult to provide such a program “in-a-box” (i.e. ready to implement immediately) for a generic company. That is because the business context in which a program operates must drive its design.

In our next post, we’ll dive deeper into where security programs run into challenges and how to avoid common pitfalls.