Cybersecurity has reached the boardroom. After years of clamoring for attention, the CEOs of U.S.-based corporations told the Conference Board that cybersecurity is their top external concern for 2019, ranking it above economic challenges, trade threats and political instability. Unfortunately, while executives are paying increased attention to security, the message they receive is often unclear.
Executives and technology leaders find themselves bombarded with conflicting messages from security vendors, consultants and practitioners, all pushing a different set of best practices that they believe will solve the organization’s security challenges. Each of them is offering a next-generation software product or a new blinking box that will cure all security ills.
Leaders who seek to cut through the noise and develop a cohesive cybersecurity strategy must first establish the critical security priorities of the organization.
Identify Essential Assets Before Designing a Security Strategy
The most effective way to do this is by focusing not on IT-related assets, but on those assets that are key to business operations. This forces us to think about assets differently. Sure, customer data, trade secrets and financial assets are easily identified. However, our critical assets could also be personnel within the organization or even the ability to deliver critical services. Once that list is developed, it can serve as the foundation for a cybersecurity program.
When I discuss this strategy with clients, I like to draw an analogy to the ways that nobles designed castles in medieval times. They didn’t start with the external walls but instead designed a highly secure inner fortress called the keep. The castle keep contained all of the noble’s most prized assets, including his family. Then, the remainder of the castle was built from the center out, with the intent of adding new layers of security around the keep.
Design Controls that Protect the Keep
With an understanding of critical business assets, an organization can identify the types of threats those assets face and design security controls that directly address those threats. These controls fit into three categories that can help build a layered defense to protect your digital inner sanctum.
- Detective controls identify the presence of a threat. Castle security details placed guards high on watchtowers to identify potential enemies on the horizon. Our modern equivalent is using assessments and technical tools to keep out adversaries. We should begin with threat hunting and penetration testing exercises to identify existing weaknesses and then expand our efforts to include intrusion detection, security information and event management, anti-virus and other mechanisms designed to detect digital threats.
- Preventive controls seek to stop threats from breaking through the layered perimeter. Castles used long-range artillery, pots of boiling oil and other weaponry to keep out intruders. We must protect our digital fortresses with preventive controls including next-generation endpoint protection solutions, multifactor authentication and other technological countermeasures designed to keep out modern adversaries.
- Mitigation controls step in when preventive controls fail. They seek to minimize the damage caused by a successful attack. Castle designers used a series of walls to segment off the keep, while network designers use network segmentation to play a similar role in the digital world. Our goal is to prevent an attacker from reaching the inner keep, even if they manage to break through perimeter protections.
The creation of your digital keep can be a complex undertaking. Fortunately, you don’t need to navigate these waters on your own. A trusted cybersecurity partner can assist you with the assessment of your existing security posture, the selection of solutions to build a layered defense and the implementation of those new controls to meet your business needs.
This blog post brought to you by: