Cybersecurity as a Program

The practice of cybersecurity is continually evolving, and its importance is exponentially-increasing. Over the past decade, organizations have been allocating more and more capital to bolster the cybersecurity posture of their Information Technology environment, but most still find themselves behind the curve. As our reliance on IT and Internet-based solutions continue to increases, the attack vectors – and the number of bad actors ready to exploit them – grow as well. How do you stay secure in an increasingly dangerous threat landscape? While I might not be able to detail how to secure your specific environment in this blog post, hopefully you’ll find some personal value as I share my approach to developing an organization’s cybersecurity program.

To begin with, cybersecurity is a practice, not a solution. Cybersecurity is not a “one-and-done” implementation: it takes consistent maintenance, management, and monitoring. A cybersecurity program encompasses all aspects of security for an organization:

• Network and system security
• Physical location security
• User training
• Monitoring
• Remediation/failover plans

When I begin to build a cybersecurity program, I group these factors into two primary categories: proactive and reactive.

“Your proactive security is what prevents a bad actor from gaining access to your environment. Your reactive security is how you handle it when they do.”

There is no such thing as a 100% secure environment – that’s why I said “when they do” instead of “if they do”. Given enough resources, time and know-how, a bad actor CAN find a way into your environment. Once we have accepted that fact, we can start to look at the security of your environment in a more pragmatic way. This is a war of attrition: our goal is to make the compromise of your environment such a time-intensive, costly, and difficult endeavor that the cost-benefit analysis does not work in the bad actor’s favor.

The Proactive Approach

This is the foundation of any security program. This is where we make it as hard as possible for the attacker to get a foothold in your environment. As noted, a combination of network security controls, physical security, user training, monitoring and testing make up the bulk of this segment. Having dedicated security consulting for your organization will help you navigate the sea of security solutions on the market today. Once you have this foundation in place, implementation of a management and maintenance process is critical to making sure your proactive protections stay updated and ready to defend your environment. As we discussed earlier, cybersecurity is a practice: threats evolve daily, so if your protections don’t evolve with them, you become an easy target.

The Reactive Element

You’ve implemented the proactive approach and secured the systems in your environment.  What’s next? No matter how well you’ve prepared, now it’s time to prepare for when those controls inevitably fail. Why? Lots of reasons, including:

• Missed updates
• Misconfigurations
• Unknown/undisclosed vulnerabilities that have been living in your environment

Whatever the cause, security control failure is always a possibility, and having the solutions in place to get alerted about (and to recover from) a cybersecurity incident can be the deciding factor between your business returning to full operation after an attack, or joining the 60% of small businesses that fail as a result of a breach or compromise.

As a result, the reactive segment of your security program is equally important to your proactive approach. Your preparedness to react to a security incident can make or break your business’s ability to bounce back from a breach, and it must be intrinsically integrated into your security program. These components include:

• Monitoring your environment
• Vulnerability management
• Implementation of plans for what to do in the event of an incident or disaster

Vulnerability management and environment monitoring should alert you when there is a new vulnerability in your environment and when someone is attempting to exploit that vulnerability to gain unauthorized access. This allows you to stay on top of an incident before it becomes a business-ender. In those scenarios, you need a plan in place on how to handle the situation. Disaster recovery, business continuity, and incident response plans will be critical to your recovery from a cyber incident.

Following this two-pronged approach to cybersecurity will build your defenses while preparing your recovery in the face of rapidly escalating security threats. While this may seem daunting, it does not need to be. As the cybersecurity industry has grown, so has the availability of cost-effective solutions, online education, and consultants who can make building your security program a much more manageable endeavor. We are beyond the point where cybersecurity can be an afterthought, and have found ourselves in direct alignment with the Benjamin Franklin quote:

“By failing to prepare, you are preparing to fail.”

Don’t let your business fall prey to the growing pool of bad actors waiting to profit off your loss.

I hope that this has provided some insight into my thought process when approaching a cybersecurity program. It is certainly not the only way of tackling the behemoth that is cybersecurity, but I have found that it can help to put your protections in perspective. When in doubt, do not hesitate to call in an expert to help with the security program of your business.