Your Security Program is Not a Security Strategy

In our previous article, we discussed considerations for building a cybersecurity program. Next, we’ll dive into how to avoid many of the pitfalls that organizations face when building and implementing their security program and execution strategy. 

The key driver for executing on your cybersecurity program is something distinct: your cybersecurity strategy. Without a clear roadmap for your journey, your program will have a hard time accomplishing much. Having a security strategy helps you to understand your top cyber risks and how to mitigate them in a cost-effective manner. 

Where Security Programs Fall Short

While a cybersecurity program is absolutely necessary for any modern business, it is by no means sufficient on its own. It is generally difficult to provide a program “in-a-box” (i.e. one-size fits all) for any single company, because the business context in which a program operates must drive its design.

Security and other leaders frequently encounter frustration when implementing their program, despite its validity. The underlying reasons for this misalignment can typically be attributed to the following factors.

Policy Ownership and Enforcement

Cybersecurity policies set the standards for an organization's security posture and establish a framework for managing and mitigating cyber risks. Without clear ownership and support from department leaders, enforcement of these policies is difficult. Department leaders can help ensure that all employees, partners, and vendors are adhering to the same security standards. Otherwise, you'll find inconsistent security practices and gaps in your organization's defenses.

Receiving input and support from various stakeholders, including CEOs, business unit leaders, and even product managers will help your team develop policies that are supported and crafted in a manner that aligns with your business and culture. Without proper input and support, you will likely encounter various questions or even resistance, including:

• The importance of shipping a new feature, despite having an exploitable vulnerability
• Considering a certain vendor, despite failing to meet your vendor security criteria
• Disabling multi-factor authentication for a specific executive because it hampers productivity from home

If your organization's security program solely relies on security leaders to make decisions regarding cybersecurity policies and practices, those leaders may be faced with conflicting business priorities. This dynamic can result in decisions that de-prioritize business objectives over security risks, potentially leading to unexpected and undesirable outcomes.

An effective security program should involve collaboration between security professionals and other stakeholders across the organization, such as business leaders and IT teams, to ensure that security policies and practices are informed by a holistic understanding of the organization's goals, risks, and resources.

Viewing Establishing a Security Program as a One-Time Exercise

Launching your security program is a major achievement, and you should be proud. However, this does not mean you are "done." Having an effective and relevant security program means accepting that one thing will remain constant: change.

As the threat environment, economic conditions, and business priorities shift, your security program must adapt accordingly. In just a few short years (and even days, in some cases), businesses have faced significant changes such as:

• An explosion in the number of ransomware attacks in the early 2020s
• A rapid shift to remote work during the COVID-19 pandemic
• The imposition of new regulatory requirements such as the European Union's General Data Protection Regulation (GDPR)

Businesses with static security programs have struggled to adapt to these new challenges. Effective governance requires an effective and regular mechanism for changing policies, procedures, tools, and even culture as circumstances change.

The guiding principle for any such adjustments must be your security strategy.

Confusing Compliance With Security

Frameworks such as SOC 2 and ISO 27001 allow for standardization when comparing organizational security programs. Customers often use these reports to distinguish between more and less sophisticated vendors in terms of their cybersecurity practices.

However, it's important to understand that compliance and security are not the same thing. Compliance frameworks can provide a foundation for security programs, but they require significant substance to be truly effective. Ultimately, the goal is to avoid breaches, not just to have certain attestations or certifications.

The following scenarios illustrate how compliance and security differ:

• Your vulnerability management policy passes a SOC 2 audit, but your IT team struggles to patch as fast as the policy dictates
• You get a penetration test certification as suggested by the ISO 27001 standard. However, the tester only performs a time-boxed assessment that fails to replicate a real world scenario
• You implement anti-malware software, but fail to properly manage it, creating a false sense of security

Compliance frameworks can provide guidance and support for the development of your security program. However, they only represent the beginning of the work you need to do. To determine which frameworks to pursue, you must have a well-calibrated security strategy.

Over-Focusing on Cybersecurity Tools

Having the right tools is essential to get the job done, but it's important to remember that tools are just one aspect of a cybersecurity program. Simply having the latest offerings from vendors won't guarantee success if you don't have a well thought-out plan for using them.

The cybersecurity market is full of different offerings, and even industry veterans can find it challenging to sort through the noise. It's important to understand that no single tool can guarantee protection against a breach. Each tool represents a mitigating control with its own level of effectiveness and cost (both in terms of money and time).

An effective security program uses the most cost-effective tools available to address the biggest threats while minimizing the burden on both the security team and the business as a whole. An ineffective program focuses too heavily on acquiring the latest and greatest cybersecurity products.

Moving Beyond Tactics: Connecting Your Security Program to Security Strategy

At the end of the day, a security program is just one of the many risk management systems that a company must implement. Executives need to address not only cybersecurity risks, but also competitive, regulatory, technological, and human resources risks, among others.

To determine the appropriate balance and resource allocation for your cybersecurity program, you must first have an effective strategy in place. This will serve as a guide for your journey, and you will need to perform detailed analysis to determine what this means for you.

Define Your Business Objectives for Security

Understanding your priorities is critical to developing an effective security strategy. Ask yourself the following questions when establishing them:

• What are you trying to protect and what do your customers care about?
• What technologies do you need to deploy to meet their needs?
• What third-parties (vendors, regulators, competitors, etc.) do you need to account for?

The answers to these questions will vary greatly depending on your business. For example:

• Are you a retailer whose customers primarily pay in cash? If so, a data breach might not be an existential crisis. If, on the other hand, you are a health technology company dealing with sensitive information, a breach of customer data will likely result in hefty fines, lawsuits, and additional remediation costs.
• Do you build or run software in-house or do you primarily use Software-as-a-Service (SaaS)? If the former, you’ll probably be more focused on scanning your own code for vulnerabilities. If the latter, your vendor risk management program will need to be more comprehensive.
• What regulations are you subject to? While basically every U.S.-based company is governed by the Federal Trade Commission (FTC) if they fail to protect customer data, different sectors have varying levels of regulatory oversight when it comes to cybersecurity. A medical device company will need to clear Food and Drug Administration (FDA) premarket cybersecurity review while a consumer apparel one can start selling without any prior clearance.

Once you understand your business goals, you can start thinking about the malicious actors that might prevent you from reaching them.

Evaluate the Threat Landscape

Unfortunately, there are a lot of bad people out there. From ransomware gangs to nation-state actors, attackers of varying levels of sophistication are always on the lookout for targets.

The good news is that they don't attack randomly, as they all have objectives of their own.

Understanding how you might look as a target to them is a critical piece of your strategy.

• Ransomware is a serious concern for executives, and for good reason. Attackers who use ransomware are typically driven by profit, which makes their behavior somewhat predictable. These attackers tend to target vulnerable organizations that have the most to lose, and often rely on the same vulnerabilities and attack patterns repeatedly.
• Achieving perfect cybersecurity may not be necessary, but rather having defenses that are strong enough to deter attackers who are looking for easy targets. It's important to have a security program that effectively mitigates risks, given the sensitivity of the data that needs protection.
  
• While it may be true that most businesses are not typically targeted by government-backed hackers, it's important to consider where your organization fits into the broader supply chain. For instance, if your business has defense or government customers downstream, or if you provide critical technologies to such organizations, then you may be a more appealing target for state-sponsored actors seeking to infiltrate your networks or steal your intellectual property.
  

Therefore, it's essential to understand your organization's risk exposure and take appropriate measures to protect against potential threats, even if they may seem unlikely. By taking a proactive approach to security and implementing appropriate controls, you can help safeguard your organization and its assets from a range of cyber threats, including those posed by state-sponsored actors.

Prioritize Accordingly

Once you understand your business goals and the threats you face, it's time to start making tradeoffs. While there are some security measures that are a no-brainer when it comes to return on investment, like multi-factor authentication (MFA), the case for others might be less clear.

• Do you have a low-margin B2C business that doesn't maintain a lot of sensitive data? You might reasonably choose not to install the latest EDR system or hire a company delivering SOC-as-a-Service.
• Does your business sell a single piece of high-ticket software to defense contractors? In this case, you might want to implement a strict SDLC program that requires continuous validation and rapid remediation of known issues in your product.
• Are you a B2B SaaS vendor receiving many security questionnaires as part of your sales cycle? In this case, you might consider pursuing a SOC 2 attestation to build customer confidence in your security program and reduce friction.

As with every other aspect of your business, you are going to need to make tough calls as to what is a priority and what is not. Communicating these organizational decisions through a concise security strategy will set you up for success. And developing it prior to making major changes to your security program will ensure that the latter serves your business, instead of vice versa.

Conclusion

Beginning with an effective security strategy is key to building an effective security program. Lacking one will cause friction in your business, especially between IT and Security teams and other business units.

Once your security strategy and program are in place, you aren't done. Many organizations unfortunately believe they can check off a box once written policies are in place or they have purchased some cybersecurity tools. Unfortunately, this represents just a small piece of the process.

Driven by an effective and constantly-evolving strategy, however, your security program can help improve your business culturally, operationally, and financially.

If you are ready to start translating your security strategy into an effective cybersecurity program, start using the Enveedo platform now.