Friday, December 14, 2018

DO YOU HAVE A CYBERSECURITY STRATEGY?

DO YOU HAVE A CYBERSECURITY STRATEGY?




Author:  Sean Connors, Palm Harbor, Florida                  


Your Cybersecurity Strategy (CS) is your battle plan for you company creating a strategic approach
to your Cybersecurity defenses.  A CS identifies vulnerabilities and documents the maturity of your
capability providing a compliance defense.

INTRODUCTION
We will explain why many companies do not have a strategic approach, although do effectively use
a number of cybersecurity defenses just not in a formal capability maturity model (CMM).  
The CMM formalizes documenting, identifying gaps and improving capability as part of a
Cybersecurity Strategy.

We will share with you how you can learn and implement a Cybersecurity Strategy, at no cost to you.

  • Cybersecurity Strategy
MARKETING PRACTISES DON'T PROMOTE A CYBERSECURITY STRATEGY
JUST SINGLE SOURCE.

With over 2,000 Cybersecurity Defense providers spending billions on marketing,
C-level executives are swimming in a sea of Cybersecurity solutions and under extreme compliance
pressure. The Cybersecurity industry has reached an advanced stage of maturity and notably
companies have spent good money on an array of Cybersecurity defenses ranging from
virus scanning to firewalls and sophisticated forensics engines as well as employee
Cybersecurity awareness training.
Overzealous marketing and claims of a sole source solution have resulted in companies not having
an overall strategy of risk management and if an event or incident occurs they are exposed to
regulatory compliance and the defense provider who was supposed to protect them bears no
liability and generally they do not have a mitigation plan.
Companies have spent good money on an array of Cybersecurity defenses ranging from
virus scanning network switches, firewalls and sophisticated forensics engines as well as employee
Cybersecurity awareness training.  So why do you still feel exposed especially to regulatory
compliance fines and mitigation? Why are you left bearing full responsibility when one or more of the
defenses fail and the Cybersecurity Defense providers (CDPs) do not stand by their claims?
There are a variety of different types of professionals in the Cybersecurity industry that help you
navigate various areas (list excludes your employees):
•        Compliance auditors delivering legal counsel and mitigation
•        Insurance industry auditors doing vulnerability evaluations
•        Regulatory compliance auditors delivering reports on compliance standards and
        frameworks like NIST or SOC2
•        CDP professionals marketing their products and services
•        Defense developers for CDPs
•        Cybersecurity solutions channel partners sourcing best of class CDPs for their clients
•        Compliance audit developers
•        Architects editing frameworks for compliance and standards like NIST and oasis
All these professionals may help you defend your company against attack(s) but ultimately they are
motivated to sell their products and services.

CHANGED LANDSCAPE
Companies have moved from IT network administration personnel to hiring CISCO's or outsourced
Cybersecurity experts.  As more and more defense solutions evolved, the roles of these became
managing implementation, maintenance, monitoring and policies and procedures of these defenses
vs monitoring logs and vulnerability scanning tasks.  Also as compliance becomes more defined and
regulated the task of doing audits for PCI, NIST and many others became a priority made worse by
the C-level liability for non-compliance.
Now CISCO's main tasks are to manage tools from CDP's and make choices sourcing solutions for
their defenses.

QUESTIONS RAISED

This brings up a number of questions for you, the C-level executive:
•        Why do you still  feel exposed especially to regulatory compliance fines and mitigation?
•        Why are you left bearing full responsibility when one or more of the defenses fail?
•        How do you require defense providers (vendors) to stand by their claims and products?
•        How do you find unbiased (product agnostic) help to manage risk?
•        How can you leverage using CDPs to reduce costs of the need to have many highly skilled
employees, while improving your defenses?
•        How do choose the best fit CDPs for your Cybersecurity Strategy?


WHAT ARE THE DELIVERABLES?

C-level executives through the Situ the first step of the CS identify defenses.
Is unbiased (product agnostic) to any defense.  This is important because they can discover what has
already done and how it fits into their company’s strategy and the gaps that need to be addressed. 

The main benefit is educating the C-level executive on these issues and doing these tasks:


  1. Understanding that a CS is in its entirety achieved using a number of defenses from CDPs
  2. Adoption of a Cybersecurity Strategy, which includes Situational awareness study “Situ”,
  3. Measurement using Cybersecurity Strategy 5 Layout Capability Maturity Model “CS5LCMM”
  4. The Capability Maturity Model “CMM” which is a widely used model to measure and improve Capability as well as Vulnerabilities, Compliance and Risk Management which are functions and procedures, or tasks that a company has to perform to at least be able to say that they are capable with their cybersecurity defense
  5. Provide education on the scope of the problem or defenses which are finite and have been laid out into the 5 layouts that you see on the CS5LCMM wheel below:



     4. C-Levels have already done a lot of work in terms of selecting CDP’s and defenses in
           these layouts, and the Cybersecurity Influencer measures that based on implementation,
           management of, and policies and procedures of each defense
     5. After measurement, the tasks of Vulnerabilities and the rest of the Cybersecurity
           Strategy wheel is addressed by the including gaps on CDPs


The  Cybersecurity strategy Cybersecurity Influencers provide will follow these steps:
  1. Situational awareness 
  2. Data gathering
  3. Measurement. 
  4. Vulnerabilities
  5. Compliance and Risk management

MEASUREMENT IN THE CYBERSECURITY STRATEGY


As you know, measurement of Cybersecurity defenses is the key to understanding and the building
blocks for achieving a strategy for a company, which includes measuring capability in each area
or layout, considering the following for each:

  • Installation and configuration
  • Maintenance and management
  • Policies and procedures

CDP’S AND YOUR LAYOUT ASSIGNMENT  (Remember in CS5LCMM the L is for Layout.)
Logos are all Cybersecurity Defense Providers CDPs laid out next to their defense sector.
For example QRadar is a Forensics SIEM so it is placed next to the Layout 5 - Forensics.
The system has assigned your Layout (you pick them on your profile) and once at the stage that you are
improving your capability by filling in gaps or replacing with better CDPs, like yours,
you will assign your product to that Layout.



Author:  Sean Connors, Palm Harbor, Florida