Comprehensive security strategy planning will help organizations hunker down for the coming ‘cyber storm.’
(May 3, 2023) Increasingly sophisticated cyber threats that exploit economic, social, and geopolitical volatility create the perfect conditions for a “gathering cyber storm,” cybersecurity experts warned in January during the World Economic Forum’s annual meeting in Davos, Switzerland. Most agree that organizations must rethink their security strategy in order to weather the storm.
Since the beginning of the computer age, security efforts have focused almost exclusively on prevention. However, it’s become clear that it’s simply not possible to thwart every attack. Instead, organizations must make the philosophical shift to cyber resilience — augmenting traditional preventive measures with tools that allow them to rapidly detect attacks in progress and respond decisively to limit disruptions and damages.
“It’s nearly impossible for organizations to achieve absolutely foolproof cybersecurity and still maintain acceptable levels of efficiency and productivity,” said Mark McClelland, co-founder and vice president of Mainstream Technologies. “Yes, organizations need to mitigate as many threats as possible, but they must also accept a certain degree of insecurity and take steps to become more resilient.”
Creating a Blueprint
The first step to achieving cyber resilience is creating an organization-wide security strategy that outlines a comprehensive and repeatable approach for managing cyber risk and reducing vulnerabilities. It will serve as a blueprint for coordinating robust security practices among management, IT staff, and line-of-business employees.
Strategic security plans should be documented, providing a high-level overview of potential threats facing the organization along with the tools and processes necessary to identify, remediate and manage risks. In addition to providing an overview of generic threats, vulnerabilities and security controls, the plan should address broader concepts, including regulatory compliance, business continuity and risk management.
“Given the rapidly changing state of technologies and threats, a security strategy should be reviewed regularly and updated,” McClelland said. “Most industry analysts recommend a comprehensive revision every three to five years. However, minor revisions are typically required more frequently based on changes in organizational structure and the threat landscape.”
The chief benefit of such a strategy is that it allows organizations to define and prioritize cybersecurity initiatives instead of continually reacting to the latest threat. The “whack-a-mole” approach of adding new security products for every emerging threat is not sustainable — security analysts identify more than half a million new malicious programs every day. Continually adding new security tools only results in overly complex and effectively unmanageable security environments.
“A regularly revised security strategy will guide organizations to make incremental enhancements to their existing security measures, including more proactive measures such as predictive analytics, intrusion prevention, and vulnerability scanning,” said McClelland. “In addition to helping organizations detect threats faster, these measures often enable IT teams to predict attacks based on risk modeling.”
Threat analysis is another key component of proactive security. It can identify an attack’s unique tactics, techniques, and procedures (TTPs), and IT teams can use that information to actively hunt for threats and disrupt them in advance.
Frameworks Can Help
The process of developing a comprehensive security strategy can seem overwhelming. Every company has unique security and operational requirements, and there are countless numbers of potential threats, solutions, and contingencies that could be addressed. It’s common for those tasked with developing such a document to experience paralysis by analysis trying to cover everything.
A number of established IT security frameworks can ease the process, serving as an instruction manual for designing, implementing, and maintaining a security strategy. In fact, a Dimension Research survey finds that more than 80 percent of organizations in the U.S. use one or more security frameworks, citing benefits such as measurable security improvements, increased automation of security controls and improved compliance. Some of the more widely used frameworks include:
- The Payment Card Industry Data Security Standard. The PCI DSS standard outlines widely accepted policies and procedures for protecting credit card information. The same principles can be used to protect sensitive data in any organization.
- National Institute of Standards and Technology Cybersecurity Framework. The NIST framework outlines security best practices for federal agencies and private-sector organizations vital to national and economic security. It is commonly used by small and large businesses across all industries.
- The Center for Internet Security Critical Security Controls. The CIS controls were developed for U.S. defense organizations. Numerous private-sector organizations use this framework to create a layered security environment.
- The International Organization for Standardization 27001 standard. ISO 27001 is an international framework for creating an overarching management system for all security controls. It provides guidance on the implementation of individual security measures to ensure they are properly integrated with other critical controls.
- Control Objectives for Information and Related Technologies. The COBIT framework establishes guidelines for information management and governance to ensure the quality and reliability of information systems. Organizations often use it to evaluate their compliance with Sarbanes-Oxley compliance.
“Although these and other frameworks were created for different audiences, they can be adapted to help any organization develop a comprehensive security strategy,” McClelland said. “It’s important to remember that it doesn’t have to be perfect on the first try — organizations can and should continually modify their strategy to ensure it aligns with evolving business goals, technology environments, and cyber threats. A continually updated strategy provides essential protection from attacks, come rain or shine.”
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile