An Effective Cybersecurity Program: People, Process, and Technology … No, Really
I have heard and experienced technology leaders talk about the importance of People, Process, and Technology, but often what I have seen is heavy on technology, some on people, and less on process. Striking a good balance and having all three overlap is what builds true effectiveness in a program, provides better security, and more Return on Investment (ROI).
In the absence of a good balance, people tend to get burned out, which leads to higher turnover. In turn, your organization begins taking on more risk, therefore increasing the likelihood of cyber incidents. Would it surprise you to know that over 50% of significant cyber incidents are related to human error? Whether it’s misconfiguration, poor coding, or simply sending data to the wrong recipient, cyber incidents fall into the category of unplanned work.
Unplanned work is the worse type of work for any organization and cyber incident response often lives in this space, especially when other foundational elements are not built out. What most people don’t realize is, when there is a cybersecurity incident, it’s not just the incident responders that have long disruptions in their schedules, but also application teams, database teams, legal, and others. The unplanned work due to cybersecurity incidents can have a broad impact on deliverable schedules. So, let us take a look at three foundational elements that can reduce the risk of unplanned work, reduce the risk of employee turnover, provide better ROI, and build out a more effective program. Let us define People, Process, and Technology. People 1. Are you right sized for the size of your organization, the complexity of your environment, and the number of tools the team is being asked to own? a. When doing product evaluations with vendors, I like to ask how many Full Time Employees (FTE) are typical for implementation and how many FTEs for ongoing operations and continued tuning? b. If you have three team members and 40 tools they need to manage, you are likely to have tools barley in place and doing the bare minimum. Team members will not have time to truly dive into a tool to understand it, configure it as it should be, and regularly tune it or build out actionable alerts if the tool is capable.
2. Are you providing opportunities, including time, for team members to be trained? a. Training doesn’t always require a large budget. There are lots of free conferences team members could attend and you can also check into vendor provided lunch and learns. b. Schedule a weekly Technical Interchange Meeting (TIM) where team members are encouraged to share something they learned over the past week that would benefit others. They could throw a few bullets on a slide or just speak to it. Keep it simple and relaxed. Each team member wouldn’t be required to present something each week, just when someone has something. Have a floating agenda that could be added to. c. Paying for a few courses isn’t all that bad either. Although you can sometimes get more out of it if you bring an instructor in and invite people from other teams as well.
3. Are you providing clear strategic guidance, so the team understands where they are going and why? a. It’s amazing how many times I’ve had team members express their appreciation for providing guidance and direction.
4. Expressing appreciation
a. Company awards are nice to give out in front of peers, but just saying “I appreciate you” or “great job”, can go a long way.
Process 1. Have you set expectations with your team/department to document processes? a. There will be turnover of personnel and people take time off, but having processes documented and stored in an organized fashion will help with Continuity of Operations (COOP) and helps to keep a program maturing instead of constantly starting over in areas. b. Documenting processes can also help to identify areas that can be automated. 2. Have you set expectations to document configurations, or at least variants from best practices or hardening standards? a. There is a lot of value in storing configuration documents and variations from best practices, in a centralized location. b. For any best practice or hardening standard, there might be a list of 20-400 controls. Understand what you are applying in your environment and why you are choosing to do something different from what’s recommended. Keep it simple, ask the following for each control: i. Are we accepting and applying the recommended control? ii. Are we modifying the recommended control? If so, why and make sure to document it. iii. Are we choosing not to implement the recommended control? If so, why and make sure to document.
3. How effective is the vulnerability assessment and patch management program? a. Some call it vulnerability management, but I like vulnerability assessment better as this team is usually not the team to actually manage the vulnerabilities, that is typically under patch management. b. Are vulnerabilities identified, prioritized by risk level, and communicated to leadership as to how long they have been opened and unpatched?
c. Unpatched systems/devices add a significant amount of risk into an organization. d. Is patch management under a centralized team, a couple of centralized teams, or left to the server owners who could be spread across multiple applications teams? A dispersed patch management program tends to be much less effective.
Technology 1. How much is too much? a. No one has an unlimited budget and just because you have multiple layers and 40 different tools, does not mean you have an effective program or good security. b. Do not look at a suite of a particular package as one tool, because many times team members will need to fully understand each component/module within the suite. c. If you are not adjusting the FTE count as you continue to bring in more and more tools, then you will not be able to get the most from the tool and your opportunities to train and document processes will suffer. d. Is the latest security concept worth purchasing? Maybe. Let us first look at if you are getting significant value from what you have.
2. Are you fully leveraging what you currently have? a. It is critical to pay attention to the balance of people and process as you add more tools in. Will your people have appropriate time to train, fully understand the tool, and document processes and configurations? b. More tools do not mean better security, it can mean worse security if there isn’t a balance with people and process. You can quickly be at a point where all you are doing is maintaining the operations and upgrades or the tools instead of fully understanding and leveraging their capabilities. This can give you a false sense of security and make for an extremely uncomfortable conversation with the board when you try to explain how you were breached after spending so much money on tools and discussing the various security layers. c. Fewer tools can often be better security if you provide your team with capacity to understand the tool and document along the way. This also means setting the expectation and holding the team accountable to do so.
3. When do you add more and where?
a. First determine where the largest risk is. You can choose one of the cybersecurity frameworks and overlay the kill chain (advanced stages of an attack) with the areas it fits. b. The goal is to have effective coverage in each area, then to increase additional coverage in the earlier stages of the kill chain, as the exposer gets more and more expensive the deeper an attacker gets. c. As you consider adding a new tool or technology, make sure to ask if it can replace something else.
d. Can you reduce your vendor footprint without sacrificing security? i. There can be value in the integration of various tools by a particular vendor but be careful not to sacrifice security to an unacceptable level. Also be aware, several tools under the same vendor might have been through acquisitions and might not provide the integration you are expecting. ii. I would not have a goal of reducing to one vendor, but instead just focus on reducing vendors where feasible. Lots of vendors are now covering several different areas. Rick Velasquez is SVP Joint Security Operations at Texas Capital Bank. Rick is passionate about building effective security programs, building people up, equipping them, and empowering them. His views are his own and not that of his employer, Texas Capital Bank