Many Cyber Security Managers invest most of their time in ongoing operations, for instance: procurement and implementation of data security systems, employee cyber awareness training and more. Nevertheless, it seems all of them operate similarly, purchasing various systems without necessarily adapting these procurement activities to the organizational needs, certainly without a far-reaching vision that extends the next twelve months. Furthermore, the nature of current cyber security management leads to difficulties obtaining senior management cooperation, leading to ongoing budgetary challenges.
Nowadays, when it is evident to all that cyber attacks pose fundamental threats to business continuity, Cyber Security Managers must invest many efforts in planning their cyber strategy. In so doing, all actions will be oriented toward the organization’s actual needs while reinforcing ongoing communication and management vs. top-tier executives.
This article will review the principles of planning and implementing a cyber strategy.
Step 1 – Performing a Cyber Risk Assessment Survey
Risk assessment survey, allows the cyber security manager to evaluate, identify and change, if necessary, the organization’s overall security policy. It would naturally entail the cooperation of several departments in the organization and would have some positive consequences regarding management’s commitment to allocate resources and implement solutions. Below you will find a list of areas the risk assessment survey should focus on:
- Workstations, mobile devices, operating systems and servers, including systems that have reached or are approaching their EOL (end of lifecycle)
- Identifying systems and types of equipment that are not regularly reviewed (Shadow IT)
- Preparing a list of authorized and existing softwares in the organization
- Cataloging and mapping the various users, for instance, through an LDAP system like Active Directory
- Identifying and linking users’ identities with access methods
Data confidentiality classification level
- Public – any information that can be shared publicly without adversely affecting the organization
- Confidential – data that should not be shared publicly, and sharing it with a third party requires the signing of an NDA (Non-Disclosure Agreement)
- For Internal Use Only – similar to confidential status, but must not be shared with any third party
- Intellectual property – core business-critical data, the disclosure of which would harm the company’s ability to compete.
- Data restricted to specific compliance – requires meticulously strict management in terms of access and storage within the scope of the relevant activity – for example, CMMC, HIPAA, GDPR and the Privacy Protection Law.
Identifying any attack surfaces that are relevant to the organization
- Mapping potential links and risks pertaining to third-party entities and maintaining NDA compliance
- Identifying all exit and entry points to and from the organization’s internal network
- Creating an updated network grid, including cloud systems and additional branches
Prioritizing Risks– conducting a Business Impact Analysis (BIA) to assess how cyber incidents would influence the business activity and identifying critical systems and data.
Step 2 – Defining Security Objectives
- Examining the required SLA level from your organization by your clients and, simultaneously, the SLA level your suppliers must commit to. This should help define the security objectives and the level of required survivability.
- The required level of monitoring – KPIs should be defined; for instance, what would be the necessary response time for certain events?
Step 3 – Choosing the appropriate control framework
- Checking which mandatory regulations must be adhered to, depending on the type of organization, such as PCI, SOX, GDPR and HIPAA.
- Choosing the appropriate framework, for instance: CMMC, NIST, PCI-DSS. Relevant controls and guidelines will be defined accordingly.
- Defining the organizational data security policy and controls to monitor actions that deviate from the above protocols
Step 4 – Creating a Risk Management Plan
- Creating a Business Continuity Plan (BCP) is a preventive step that should be implemented in preparation for handling catastrophes. It focuses on returning the systems and business activity to normal, including, among other things, communication procedures, resource allocation and damage minimizing programs.
- Creating a Disaster Recovery Plan (DRP). This refers to the processes that must be taken during and after the loss of data or access to it emanating from a cyber incident, such as data recovery and access to backups. This is an integral part of the BCP
- Preparing a cyber–Incident Response (IR). The emphasis is on the immediate handling of the incident, for example, identifying the offender, reporting to the relevant bodies and sterilizing the organizational network. This is part of the DRP
Step 5 – Creating Managerial Commitment
- Gathering a team that would include management members and hold regular quarterly meetings, sharing with them the organization’s compliance level with objectives and substantial difficulties
- Jointly defining the level of risk acceptable to the organization and determining a reasonable level of expectations
- Jointly defining data security budget
Step 6 – Correctly implementing the Cyber Security Strategy
Madsec’s data security experts will be happy to assist you in the above-mentioned steps and other essential tasks, including:
- Preparing the relevant files mentioned in this article, including performing cyber simulation for senior management
- Preparing strategy documents in accordance with the organization’s risk assessment survey
- Wisely using the approved budget while separating the procurement budget, i.e., CAPEX investments and ongoing operations’ budget (OPEX), like using an external SOC.
- Based on the risk assessment and set budget defined in collaboration with the management, tasks shall be prioritized,
- Defining an orderly, yearly work plan with clear, realistic objectives