20 steps to strengthen cyber defense

The increased attention cyber defense has received lately would be difficult to ignore. One method is to look at the compound annual growth rate (CAGR). The CAGR for the private-sector homeland security marker through 2016 is 7.7 percent (totaling nearly $13 billion) and that indicates solid investment in the protection of our critical systems.

Organizations large and small have recognized the threat cyberattacks pose to their organizations and are ready to move ahead and minimize that threat to the extent possible. Most of cyber defense programs take a proactive approach and anticipate the continuous evolution of cyber threats that will be launched against their organization. Based on that key principle, they constructed a solid security foundation with a cyberattack mitigation strategy serving as the cornerstone.

Once cyber defenses are established, the work is far from being over. The threats must be monitored and intelligence on the changing threat conditions collected and analyzed. After this is done and the organization has an understanding of the threat environment, it can determine the level of protections and exposures. Organizations must regularly assess their defenses and make the necessary updates and changes.

How does an organization evaluate the cyber defenses they have implemented? The following list contains the 20 areas of evaluation commonly used when examining the security of an organization.

1. Access control

2. Acquisition, development and maintenance

3. Communications security

4. Compliance program

5. Continuity planning

6. Data and asset security

7. External security controls

8. Human resource security

9. Incident response and investigations

10. Mobile and portable device security

11. Operations threat monitoring

12. Physical security

13. Security threat intelligence

14. Security policies

15. Supply chain security

16. Security analytics

17. Security awareness training

18. Security operations management

19. Security organization

20. Security program management

Each of these 20 areas should be assessed, and a numeric score from 1 low to 5 high assigned in addition to a score depicting where each area of measure should be. This permits a graphic portrayal of the level of security and any gaps that were identified during the evaluation process that is often required at senior levels of management.

All too often the highly technical cybersecurity resources fail to clearly communicate the cybersecurity challenges to members of the executive team in a fashion that is easily understood by nontechnical individuals. Executives set budgets. That is a fact and failure to effectively communicate the risks and measures that are needed to mitigate those risks is a common problem. Many critical infrastructure providers will use the 480 percent plus identified incident growth that was recently published in the Homeland Security Department Industrial Control Systems Cyber Emergency Response Team’s Incident Response Summary Report for justification. The second issue is assessing and evaluating what protective measures are in place and working, and where changes and improvements are needed.

During one security assessment it became very clear the organization did not have an accurate application inventory. If you don’t know what software and applications you have in the IT environment, how do you know what needs maintained?

A mentor early on in my career use to say “If you don’t know where you are you can’t plan where you are going” That is so true; yet time and time again cybersecurity strategies, plans and programs are established without determining where the organization is in terms of protecting it digital infrastructure and information assets.

Continually assessing and evaluating these 20 areas provides the information needed to fortify an organization’s cyber defenses. Without taking the time and putting forth the effort to conduct an assessment like this, you are just taking a shot in the dark as to what is really needed to defend an entity from the growing threat of cyberattacks. One common mistake is to rely on penetration testing as the only mechanism used in the determination as to the security and vulnerability of critical systems.