How to start a cybersecurity program (or restart one that lapsed)

· 4 MIN READ · BRUCE POTTER · JAN 29, 2019 · TAGS: CISO / Framework / How to / Management / Planning

What happens when cybersecurity needs to be jump started (or restarted)?

Turns out there are plenty of possible scenarios.

Maybe you’re a new CISO who’s taking over for someone who ran a less-than-stellar program. Or you lost security personnel and re-hiring took much longer than expected. Perhaps your company is going through a merger or acquisition, which is forcing you to have some hard conversations about combining or even decreasing resources. Or maybe — stick with me, this will sound far-fetched — your security budget was flat out cut for reasons not bounded by rational thought. (I know, I know. That never happens.)

So when you’re left holding the hot potato of a legacy lackluster security program, or are now forced to protect your org and its data with less, what steps should you take to get (or keep) the security train on the right track?

    1. Don’t be afraid to get some basic tools and processes in place quickly to buy yourself time. We’ve seen this movie before: a new CISO comes in and wants to conduct a comprehensive assessment as a first step towards understanding what security controls they have, what’s lacking and what areas might need more attention. And wouldn’t ya know, the assessment kicks off, taking up lots of time and resources while day-to-day operations take a back seat. This effectively puts your organization into neutral while everyone thinks big thoughts. These assessments can pull people off important tasks and ultimately have a negative impact on the security posture of the organization while the assessment moves along.
      We’re all for conducting thorough assessments to understand security risks and technical control gaps, or collecting a few fancy tools to help you do your job better. But cinematic plots aside, the reality is that the hackers aren’t going to take a time out while you get your house in order. That’s why it’s essential that you get (or keep) some basic security tools (the right ones, and not too many) and processes in place quickly, and then dive deep into a review of your security processes, programs and tools to figure out what needs fixing. Get some value right now out of the tools you already have instead of running out to buy a new chest of security toys. You can make adjustments or add new stuff later as needed.


    1. Don’t forget to look outside your own walls. Conventional wisdom suggests gathering information from within the walls of your org first as you’re creating or adjusting a cybersecurity strategy. But with 73 percent of organizations having at least one application in the cloud according to IDG’s 2018 Cloud Computing Survey, it’s not enough to just look at your network and endpoints. When it comes to the cloud, your users are the new endpoint.So where do you start when it comes to keeping your data safe in the cloud? We’ve got a few tips right here on fine-tuning your cloud security strategy, and even more advice on keeping your cloud apps — like Office 365 — safe from attackers (get our pro tips right here).


    1. Don’t use “But I first need an asset inventory!” as an excuse for inaction. I hate it when someone tells me, “Well, first I need to understand all of our assets.” That’s never going to happen. You’ll never understand all of your organization’s assets, and you can’t sit around waiting to protect what you can see because you don’t understand what you can’t see.
      Some things will always be outside your view. That’s reality. There are very few (if any) organizations that have a complete handle on asset inventory. It’s totally possible to build a strong security program that relies on imperfect asset information. Every component of your security program doesn’t need to be perfect (and they never will be).
      Instead of your first step being an asset inventory, think about assessing your visibility. What can you see? What “security signal” is available to you? What can it tell you? What risks does it help address? Look at security technologies that cover networks, endpoints, metadata (aka logs), cloud infrastructure and apps. This will help identify your knowns, strengths, and weaknesses. Having broad visibility in a “good enough” fashion is better than having perfect coverage in a few areas. And don’t forget to get creative. A vulnerability scanner can double as an asset management system. Got Nessus running? Great! You also know an awful lot about what’s running inside your enterprise.


  1. Plan for the worst. How will you be prepared to maintain your org’s security posture while operating at a reduced capacity? Many of us spend time thinking about how we’ll defend our company and our data against the next crafty malware attack, but we generally don’t put much effort into thinking about how we’ll maintain security operations with fewer personnel, fewer tools or less money for our program.
    Is a shutdown-style scenario in your security playbook? Have you thought about which security tools or processes you’d turn off first if you were forced to shrink your team or budget, while still maintaining your org’s security posture? Have you mapped your capabilities and their costs to the risks they address? Does the rest of the business (and the board!) understand this mapping or at least know it exists? Understanding this mapping will help you quickly address a reduction of funding and resources to be able to maintain the best security posture possible and informing those around you of the impact of the draw down.
    Here at Expel, we’re all about planning before an incident happens. We find that the best way to identify potential security issues within your org and build muscle memory around what to do when something bad happens is to play pretend. In fact, my son and I developed a role-playing game to pressure test your security ops (We promise, it’s super fun!). And you can play too — get started by downloading our incident response tabletop exercise game for free right here. Consider doing a tabletop where the “incident” at hand is a bad business condition and your security budget is cut by half.

A “shutdown” isn’t a concept most of us normally throw around — the business world uses different terms. And to be honest, thinking proactively about a really crappy situation, like losing your security budget or inheriting an awful security program, isn’t exactly uplifting. But if you spend some time thinking through those situations and deliberately consider how you’d manage it, when that rainy day comes (yes, when — we tell people all the time to plan for when they’ll have to deal with a security breach, turnabout is fair play) it may just suck a little bit less.