How to approach a security program. My personal learnings.

These are my personal learnings from implementing cybersecurity (and other) programs that I wish I knew before I started. As most truths are, you will probably find most of the points obvious, but sometimes you just need to hear someone else say it to confirm what you already thought.

Firstly, realise the following. Once you have internalized this you will sleep again.

1.      You cannot fix everything at once.

2.      You will never sell a total, perfect cyber-security program to your business. It will always be a compromise for practicality, cost and the business’ risk appetite and willingness to absorb change.

3.      There is a sequence of events to get from A-Z though foundational stuff, then upwards in maturity, and even with an unlimited budget and team, you need to slog through it and that takes time.

4.      You and the business will have to accept some risks, in some cases for years.

5.      A risk mitigated is not a risk eliminated. IT CAN STILL HAPPEN and that is unavoidable.

6.      Best practice is a guideline, not a law. You need to adjust to your unique circumstances.

7.      Cybersecurity, even in small businesses takes time and focus. It is not a side gig.

8.      Once you start getting insight (like vulnerability management, rogue software, asset tracking) you will suddenly have a new volume of work that you could not quantify before. Your timeline may derail right there. Don’t be dismayed by it and…

9.      Fixing the new gremlins will take more time than you think. Factor it into your implementation plan.

10.  There is no certainty that you’ve done everything you can. Ever. Cybercriminals work by finding what you missed or have not addressed yet. The environment keeps changing. Second-guessing yourself with hindsight is pointless. Lying awake and worrying about it is destructive.

11.  You will have breaches. Companies with deeper pockets and more experts have breaches. That’s a fact, so you might as well relax about it and…

12.  Never waste a good crisis. Every security incident is an opportunity to improve, refine, learn lessons, spread awareness and educate.

13.  Security changes are inconvenient and require change. You will not be thanked. You will get pushback. You will be questioned and even derided by people with less knowledge than you. This is not personal, and it is entirely normal. Grow a thick skin and be patient.

14.  Security is there to support the business, not the other way around. Security must be practical and ways to balance business needs and security must be found. Going hardline will alienate your stakeholders.

15.  “Isn’t it funny how day by day nothing changes, but when you look back, everything is different.” CS Lewis.

If the business leadership understands this, you will have a happy life, so make sure to tell them!

Find partners.  

Unless you are very experienced, you are going to need people you can trust. Even if you are very experienced, you still don’t know everything. A solid security partner that is not married to a product set and not out to make a quick buck out of your fear and uncertainty is a must. Don’t Google, ask. Join communities of professionals and guiding bodies. Get references from the people in the trenches with you. A good partner brings experience with products that will help you narrow down solution options faster, be a sounding board for ideas, and a calm voice when you get anxious about how much you need to do and realise that you will have to live with some risks for extended periods.

Building some alliances within the business is not a bad idea either.

Assess.

Pro tip: Assessment is key to understanding, and without understanding, you cannot take focused and relevant action. The question to “where do I start” is ALWAYS “assess”. This may be understanding the issue and thinking through options for a few minutes, running your own assessment or bringing subject experts in to deep dive with a structured process, depending on the scenario and size of the business.

The worst advice in the world is “don’t just stand there, do something.” “Don’t just do something, take a minute to think” is much better advice unless being chased by a bear.

Understand the landscape

You must understand why things are the way they are. Why has no one addressed this issue before? Why do users do things this way? Why does this business process work in this way? Why is this old system still there? Why is the department structured in this way?

It is pure hubris to think that your answer is a better one before understanding the reason for the current solution. You will break stuff. I’ve seen (and done!) it on all sorts of scales, from taking away that old windows XP computer that had a crucial bit of software to entire business divisions getting wobbly when new leaders started chopping and changing.

Talk to business

No, listen to business. Not in IT Speak. Listen in Business-speak and people-speak. Understand the culture and values (both sets: the ones on the posters and website as well as the ones people actually live). Take the time to speak to leaders on multiple levels. This will give you a good sense of what is important to them to meet their objectives, what skill level people are at and how likely you are to be supported.

From senior leadership, you will get a sense of their understanding of cybersecurity and how important they perceive cybersecurity. Again, not in tech speak, but in business and financial impact. Talk to them about what they think is important and why.

Find solutions

This is where it gets hard. Every vendor has a suite of products presented in such a way as to make it impossible to head-to-head compare with other vendors or find the true cost. In that suite are dozens of sub-products, each requiring a full implementation on its own, but no one suite seems to do exactly everything you need it to do. Now you are lost trying to POC multiple products and you may never leave the labyrinth again! Don’t worry, you’ve already done the legwork to make this easy.

From your assessment, you know your weaknesses and from talking to businesses you have an idea of priorities. That’s where you start. Break them down. Now sequence them, then look for how to resolve them one by one. Here are some tips.

Do’s

• Use common sense. Practical and workable trumps flashy and magic quadrant every time.
•   Start thinking risk-based. Identify, quantify, prioritize mitigate and monitor. A risk register, even a basic one will help you prioritise based on the overall impact a risk has on the business. This is also a great way to communicate back to business based on business impact.
•   Get an overarching infosec policy that the business signs off. This is your contact with the business defining your common understanding and it is your mandate.
•   Set standards and document them. Make sure everyone knows them and abides by them otherwise you will get 2 years down the line and have to redo stuff.
•   Identify the foundational steps and look for ways to address them. You will often find that a manual process is the best way at the start because it is too much of a mess to automate.
•   Get the foundational stuff right first. Cybersecurity often starts with a working HR process and a clean Active Directory.
•   You need asset management and insight tools. Keeping track and measuring is crucial. Without insights on endpoints, you are flying blind. But…
•   Identify the most important metrics to monitor to avoid being overloaded.
•   Try to automate basic stuff, such as permissions and user reviews.
•   Think about progress tracking. You want to review at least every year to see what you’ve covered.
• Ensure that you focus on incident response from the start, even if it is basic. The first incident will rattle you more than you can believe!

Don’t

•   Overcomplicate things.
•   Believe the hype. Those products can do what they claim, but only in very mature environments or in conjunction with other products you need to buy.
•   Buy into a massive product set at the start. You will end up paying for features you will not implement for years, if ever. Money in the water. Rather select a product that has a limited scope that can take you a short way with ease. By that time you will be older and wiser and your environment more mature.
•  Re-invent the wheel. You can get examples and templates for everything.
• Get hung up on trends and media hype.

Think about maintaining

Every new aspect you start managing will need to continually be managed from that point on. That will take manpower and resources. At the start of a program, this snowballs pretty quickly. I’ve made the mistake where the management falls behind because I did not factor it into planning.

You are not alone: I’ve found compliance and security professionals to be extremely helpful. Just ask! Use those associations you belong to and give back to the community as well.