Cybersecurity: A Primer for Business Leaders

Cybersecurity Primer

Without question, we are seeing security become top of mind for business leadership. Many organizations are becoming fearful of the almost certain prospect that they will become victims of a data breach and/or ransomware in the near future. More than ever, firms need to take an offensive position and actively secure their organizations. The first step toward doing this is knowledge.

The Cybersecurity Process

Here is a primer for developing and managing a cybersecurity process to help you and your firm become more secure. This is a straight forward process we use at Ascension Technology Group to help companies achieve high levels of security compliance.

Cybersecurity1

Assessment

The initial and perhaps most critical step is to determine your company's current security posture. A structured and reliable assessment should always involve reviewing current policy, procedures, technical environments and other security related functions that are standards-based.

Ascension employs a proprietary toolset using a wide spectrum of generally accepted practices. We align and match numerous general accepted standards, such as ISO/IEC 27001, NIST 800-53, ISA 62443, COBIT 5, CIS CSC, GDPR, PCI DSS and other standards into a concise assessment tool to simplify the assessment process and reporting. By having a structured assessment, you and your team will be able to scope the security tasks necessary to achieve compliance.

Reporting

After developing an assessment, organizations should implement a reporting system  to assist leadership and other interested parties in understanding security issues and gaps as well as the current status of any ongoing remediation efforts.

Strategy, Remediation, Time and Goal

With the assessment in place and a reporting system communicating and tracking progress, top management should develop a reasonable and effective strategy for closing all security gaps.

The next step is to manage and remediate all issues by working with internal teams, third parties and leadership to achieve compliance.

Over time, continuously managing and improving all elements of security will ultimately guide your company to a higher, consistent and repeatable security posture.

The ultimate goalis to achieve full compliance and provide continuous reporting to ensure ongoing compliance.

Necessary Domains of Knowledge

Finally, your security process should include, at a minimum, the following operational and security domains of knowledge:

Identity

  • Asset Management
    Identify the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes, and manage them consistent with their relative importance to organizational objectives and the company’s risk strategy.
  • Business Environment
    Understand and prioritize the company’s mission, objectives, stakeholders and activities; this information is used to inform cybersecurity roles, responsibilities and risk management decisions.
  • Governance
    Understand the policies, procedures and processes to manage and monitor the company’s regulatory, legal, risk, environmental and operational requirements, and use them to inform management of cybersecurity risk.
  • Risk Assessment
    The organization should understand the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals.
  • Risk Management Strategy 
    Establish the company’s priorities, constraints, risk tolerances and assumptions, and use them to support operational risk decisions.
  • Supply Chain Risk Management 
    Use the priorities, constraints, risk tolerances and assumptions mentioned above to support risk decisions associated with managing supply chain risk. The organization must establish and implement the processes to identify, assess and manage these risks.

Protection

  • Identity Management, Authentication and Access Control
    Limit access to physical and logical assets and associated facilities to authorized users, processes and devices, and manage this access consistent with the assessed risk of unauthorized access to authorized activities and transactions.
  • Awareness and Training
    Provide the company’s personnel and partners with cybersecurity awareness education and train them to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures and agreements.
  • Data Security
    Manage information and records (data) consistent with the company’s risk strategy to protect the confidentiality, integrity and availability of information.
  • Information Protection Processes and Procedures
    Maintain security policies (which address purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities), processes and procedures, and use them to manage protection of information systems and assets.
  • Maintenance
    Perform maintenance and repairs of industrial control and information system components consistent with policies and procedures.
  • Protective Technology 
    Manage technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures and agreements.

Detection

  • Anomalies and Events
    Detect anomalous activity and understand the potential impact of events.
  • Security Continuous Monitoring
    Monitor the information system and assets to identify cybersecurity events and verify the effectiveness of protective measures.
  • Detection Processes 
    Maintain and test detection processes and procedures to ensure awareness of anomalous events.

Response

  • Response Planning
    Execute and maintain response processes and procedures to ensure response to detected cybersecurity incidents.
  • Law Enforcement
    Coordinate response activities with internal and external stakeholders (e.g., external support from law enforcement agencies).
  • Analysis 
    Conduct analysis to ensure effective response and support recovery activities.
  • Mitigation
    Perform activities to prevent expansion of an event, mitigate its effects and resolve the incident.
  • Improvements 
    Improve organizational response activities by incorporating lessons learned from current and previous detection/response activities.
  • Recovery Planning 
    Execute and maintain recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents.
  • Improvements
    Improve recovery planning and processes by incorporating lessons learned into future activities.

Recovery

  • Recovery Planning 
    Execute and maintain recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents.
  • Improvements 
    Improve recovery planning and processes by incorporating lessons learned into future activities.
  • Communications 
    Coordinate restoration activities with internal and external parties (e.g., coordinating centers, internet service providers, owners of attacking systems, victims, other security teams and vendors).

Stop Breaches Before They Happen

Unfortunately, we have received calls from leaders, who did not perform an assessment, after such a breach or security incident has happened.

"What happened?" they ask. "Are we responsible? Why did I get targeted?"

We have to advise them that the first step is always an assessment of the truth.

Please feel free to call and ask any and all questions you may have regarding cybersecurity.

 

What would it take to get your business to the next level?

Schedule an assessment

 


About the Author

Paul Scott

Paul Scott is the chief executive and senior partner at Ascension Technology Group. He has been a technology and management leader for Fortune 500 firms such as Alltel Wireless and Lucent Technologies as well as smaller mid-size firms. Paul was privileged to negotiate an $8 billion/10-year deal and provide senior leadership for many merger and acquisition activities as well as other high-level business development actions for companies ranging from new ventures, such as Photozone.com, to large firms, like Alltel Wireless.

Paul is an astute analyst and strategic global thinker leveraging creative means to solve complex business problems. He continues to inspire world-class individuals and teams to develop new business opportunities, reach high performance goals and achieve successful business outcomes. You can reach Paul at (425) 705-0760.

Connect with Paul

linkedin-1   Phone - green   email icon-1   URL




 

 

 

Published: 10/08/2019

Leave A Comment