For organizations getting ready to move beyond Security Operations with their security approach and improve the cyber resiliency of their systems, some excellent startup tools exist. And, equally important, best practices are emerging.
One of the best places to start your resilience journey is with a cyber-resilience framework. They help an organization establish the goals and objectives for its resiliency strategy, as well as identify specific technologies needed to control, manage, and recover from cyber attacks.
By using a framework, an organization can craft a cost-effective, flexible, prioritized, and performance-based path to cyber resilience. A framework can also help an enterprise assess its current security stance and identify areas for needed improvement. As improvements are made, the framework can also be used to assess the progress of a resilience program.
There are a number of popular frameworks, but they all share some common elements. Here's what you need to know about them—followed by best practices for cyber resilience.
Assess the risks
An organization-wide assessment should be performed to identify all cybersecurity risks to the systems, assets, data, people, and capabilities of the enterprise. Important items covered by the assessment should include what the organization's risk management strategy should look like; which cyber risks operations, individuals, and assets in the organization are facing; and what assets the organization uses to accomplish its mission.
When planning for risk management and resilience, organizations should be careful not to over-engineer their schemes, George Platsis, director of cybersecurity for FTI Consulting, wrote recently:
"It is a crude metaphor, but managing your cyber risk increasingly becomes more like managing your investment portfolio. It is tailored to you and your expectations. But if you are not on top of what’s going on, increasing complexity could lead to increasing volatility. That means your current and future outlooks could quickly be thrown into jeopardy."
—George Platsis
"More importantly," he continued, "if you are hoping to maximize business efficiency in your operations using this new gadgetry, then you may be setting yourself up for a colossal loss on the downturn, or a massive data breach that is nearly impossible to recover from could occur.
Indeed, IBM's annual cyber-resiliency report for 2020 noted that an excessive use of disconnected tools creates complex environments, which can have an adverse effect on an organization's ability to detect, prevent, contain, and respond to a cybersecurity incident.
Tally up your resources
In addition to assessing risks, it's also important to take a tally of resources—both technological and human. Such an analysis may reveal areas where automation or a managed service provider may be useful. Of course, nowadays it's necessary to consider privacy issues when evaluating both present and future resources, especially when it comes to monitoring data or storing too much of it for too long.
Another typical recommendation is to develop and implement safeguards to make sure critical services will be delivered successfully. Those safeguards usually include controls to ensure entities have access only to resources needed to do their jobs or functions. They also include security education, which has become increasingly important as more and more employees are forced to work at home, noted James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training provider.
"With COVID-19 and the increased number of people working from home, organizations' senior management recognize that the employees are being targeted more than before and require additional training to increase their knowledge of various cyber attacks."
—James McQuiggan
Development of activities and actions to identify a risk event quickly is also a common framework recommendation. Organizations need to clearly define the roles and responsibilities in play when a suspicious event is identified. They also should be monitoring their assets and networks for potential cyber risks and anomalies.
After risk events are detected, a response is in order. Frameworks typically recommend that enterprises have response procedures in place, that shareholders within the enterprise coordinate their response to the event, and that action be taken to prevent the event from continuing and spreading.
IBM says that having a cybersecurity incident response plan (CSIRP) is an important component of any resiliency strategy. It cautions, however, that the plans have to be reviewed frequently. "As the volume and severity of attacks increase year after year, the lack of an updated CSIRP may increase the risk of experiencing a significant disruption to IT and business processes," it noted in its 2020 report.
Recovery is also a common characteristic among frameworks. Recommendations in that area involve restoring any damage from a cyber attack and conducting post-mortems to assess what can be learned from the incident to improve resiliency.
Best practices
In addition to following a framework, organizations can also follow these five best practices to improve the resilience of their operations.
1. Tailor your response plans to attacks specific to your industry
Not only does that save time and money that would have been spent on low-risk threats, but it allows for more detailed planning for real threats.
2. Increase visibility and reduce complexity by embracing interoperability
Using tools that are interoperable increases the effectiveness of security teams by helping them more quickly detect and block attacks.
3. Invest in technologies to accelerate incident response
Automation, artificial intelligence, machine learning, and cloud services are some of the leading ways to increase cyber resiliency. Automation can improve not only operational efficiencies, but also the morale of security teams, which will be able to focus their talents on more meaningful activity and be freed of "scut work."
4. Bring your security and privacy teams together before serious events occur
IBM found that companies that exhibited strong cyber-resiliency characteristics recognized the important relationship between these teams. Encouraging collaboration between the teams will improve responsiveness to incidents such as data breaches much more so than if the first time groups collaborate is when they're thrown together to face a crisis.
5. Get the company brass on board
In all organizations, something is more likely to gain traction if it gets buy-in from the executive team. One way to get the attention of C-level executives and board members is to formalize resiliency reporting to them. That way, resiliency can be kept visible to the upper ranks and receive the resources it needs to preserve the revenues and reputation of the organization.
Take your SecOps to the next level
Stan Wisseman, chief security strategist at Micro Focus, said the key is to build on the existing tools and best practices to take your security operations to the next level.
"There's some great guidance out there. There's a lot of good work that has already been done to help organizations evolve beyond just cybersecurity."
—Stan Wisseman
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.