The Best Way to Improve Your Cyber Security? Outline Where You Are Now and Roadmap to Your Target State.

Originally published by NCC Group.

Written by Sourya Biswas, Technical Director, NCC Group.

As anyone working in cyber security knows, 100% threat prevention/mitigation is a myth. One question we hear time and time again is, “how much security is enough?” There are so many different ways to answer this—it really depends on your company’s size, complexity, industry, the maturity of your program, and so on. Perhaps the best answer is simply “just enough.”

Think about it this way: does your home need 16 ft. concrete walls reminiscent of a World War Two military bunker? Or would your standard ADT alarm system be sufficient?

Striking the balance between too much, not enough, and just enough security is no cakewalk. Too much security, and you'll end up with stringent controls that prevent your people from completing basic business tasks. Too little, and the controls will be too lax to address the ever-evolving threat landscape.

Without the right guidance, putting together a comprehensive yet customized program that meets business needs can be expensive and time-consuming. But it doesn’t have to be. You just need to understand where your organization wants to be, its target state, compared to where it is now, or its current state. Then you need a roadmap that outlines in detail how to progress to that target state.

The Four Steps of a Cyber Security Review

The cyber security review (CSR) is a customizable, four-step process (typically performed over six to eight weeks) that takes a business-focused view of your information ecosystem and security mechanisms to determine where you are in your cyber security journey, where you want to be, and how to get there.

Step 1: Context Establishment

A company’s cyber security program should support its organizational mission and vision. The first step in a CSR is to establish context via surveys, discussions, and deep dives. One key differentiator here is to compare and align your business and security goals, a feat that can only be achieved by interviewing executives beyond the cyber security function.

One thing to keep in mind: since a CSR will likely be shared across the business, the reported results should be applicable to all of its recipients. Reviewing business-critical applications, we assess the business holistically instead of focusing on individual technologies.

Step 2: Threat Modeling

Your program’s effectiveness is largely dependent on having a clear understanding of the threat landscape. Otherwise, your efforts will be unfocused, disorganized, and will resemble a shot in the dark rather than anything strategic.

That’s why the second step in a CSR is to generate a current snapshot of your organization’s threat landscape by documenting architecture, threat actors, attack vectors, and sensitive data elements. This includes Personally Identifiable Information (PII), Privileged Health Information of PII, intellectual property, and financial information.

Step 3: Controls Assessment

Next, look at the design and implementation of security measures or controls used to address identified threats. Perform a maturity-based controls assessment against a chosen framework (e.g., NIST CSF/ISO 270001/SANS Top 20/CSA CAIQ), and then identify gaps in major/minor control areas to provide detailed recommendations.

Step 4: Security Landscape

A successful program is one that also meets organizational needs. In the final step of a CSR, analyze the outputs from the threat modeling exercise and controls assessment to develop a roadmap in alignment with your broader vision and business goals.

Imagine that one of your organization’s goals is to expand the customer base. In this situation, you’ve identified a malicious insider to be your greatest potential threat actor, and Access Control as your worst control gap area.

In this case, I might recommend to enforce strict data compartmentalization with ‘need-to-know’ access, implemented via Active Directory groups and subject to monthly access and entitlement reviews. It’s just one example, but this kind of shift can form potential kill-chain scenarios that help drive your organization’s roadmap and prioritize resources/efforts.

Why Employ a Cyber Security consultancy?

While these steps may seem intuitive and easy to implement, there are several potential pitfalls. To quote a common idiom, ‘the devil is in the detail’.

1. Neutral: An in-house IT or Security department may be able to run through the process, but may suffer from confirmation bias. A consultancy can be impartial and will leverage knowledge of frameworks, methodologies, and industry experience to offer valuable insights and comparisons normally unavailable to in-house teams.

2. Efficient: It allows you or your team to get on with their day job, and provides you with both strategic and tactical recommendations with different levels of effort that can be implemented as per-resource bandwidth.

3. Adaptable: A cyber security review can adapt to meet the needs of any organization. From a start-up with no controls in place to an SME/SMB that doesn’t have the resource or expertise, the CSR can help create a three-year roadmap and tackle the future state in digestible chunks. The CSR can also help identify future resource needs, and for an enterprise with a more mature security program in place, it provides an independent review of the security organization and identifies areas where they excel or where ‘best of breed’ is desired.

In conclusion, a cyber security review offers benefits to any company, irrespective of its size, industry and cyber security maturity.