by Matthew Goche
Will you be (or have you been) the subject of a headline? The
victim of a damaging cyber attack or intrusion? If you’ve avoided it, count
yourself lucky. But if you’ve already been victimized, you aren’t alone. It
appears that such attacks and data breaches are practically inevitable today.
However, help is at hand. Organizations can build a strong
IT security road map to counter – and more importantly, prevent – what was once
an occasional hacking attempt to today’s constant bombardment by savvy cyber gangs.
Consider this your Cybersecurity Roadmap and Toolkit
The first priority is to perform an initial gap analysis. This
will identify weaknesses in your network and other IT infrastructure defenses.
It helps you locate where the starting point is, where to spend your time and
where you need to improve.
As my colleague Chris Sell advised in a recent article on information security gap
analysis, you should compare your security program as it stands versus overall
best security practices. This will help pinpoint vulnerabilities and risks.
Also, have a clear understanding of the security threats you should be looking
for or may find.
In addition, develop a security organizational chart that
clearly outlines all participants’ roles and responsibilities to disarm
intruders. This is vital because today’s security world has become much more
complicated. There’s more hardware and software to monitor – period. Regulators
also have become much more in-your-face about protecting their constituents,
who likely are your customers and who you are protecting – especially if you’re
in the financial services, retail and health-care sectors. Auditors, too, have
higher thresholds to examine operations.
Identify your ‘Security Chieftain’
In developing that security chart, first identify the ‘security
chieftain’ empowered to lead this group. If you have a chief information
security officer (CISO), this is likely your leader. If you’re a smaller
organization without a CISO, tap someone with authority – someone who has a
seat at the executives’ table but who also doesn’t have a blatant conflict of
interest.
The chief information officer (CIO) is fine, unless she or
he also holds the CISO role. If an IT professional is responsible for uptime of
applications, that person shouldn’t be the security chief because of an
inherent conflict. Too many pressures exist in terms of uptime and innovation
that can influence that individual’s mindset. In these cases, the security
chief’s role usually falls to the lead infrastructure specialist.
Be sure to build in checks and balances. If the organization
chart lists the person responsible for managing a firewall device, also include
the person ensuring the firewall device is managed correctly. At every stage, insert
in an additional layer of control.
Consider including someone that deals with risk on a
broader basis. A trend has begun that converges security roles and budgets into
the same hub overseeing continuity and recovery roles, as well as budgets. An
organization will likely reap real benefits by assessing the different
categories of risk and judging them on their merits while measuring them
together. In doing this, you can distill a clear understanding of overall risks
and risk tolerance and invest, accordingly, for business continuity and data
recovery.
Find a Hacker and Let Him Loose
Here’s a revolutionary suggestion – but a good one. Appoint
your own internal hacker to poke holes in your IT systems, identifying
vulnerabilities and seeking ways to strengthen those weak links. Initially when
enterprises searched for a third-party internal hacker, they could find few
candidates without criminal records.
Today, an increase in ethical training grounds has boosted
the number of legit IT professionals trained to take on that role. Since most
organizations don’t have an IT professional trained for such duties, it’s best
to look to a third-party source.
Next, develop a clear methodology that allows for testing
of the basics. Why? Because most successful attacks reflect a basic element
that wasn’t followed. Also, inject methodologies that test the latest malware
and other threats to outages.
Develop a plan for “application interdependence” that
identifies where third-party vendors leave companies the most vulnerable to be
hacked. Some of the most recent major cyber intrusions involved the attackers
getting into an enterprise’s system through a vulnerable third-party security
weakness. Target’s data breach late last year is an example.
Retain an external consultancy or partnership with expertise
in business continuity/disaster recovery or in the regulatory/compliance sectors.
This firm can review your security processes and test the resiliency and
compliance of your IT infrastructure.
Consider identifying a partnership with a managed security services
provider that, basically, can serve to augment your current resources. Its IT
professionals can provide 24/7 eyes and ears monitoring your environment and
looking for the gaps and weaknesses in your defenses.
This managed security services provider is performing, not
reviewing, operations. These providers do this for a living, so their specialists
maintain constant communication with law-enforcement agencies, perhaps global
in nature, that identify new types of security attacks cropping up somewhere and
advising companies and organizations to watch out for them.
While you can never be certain you’ll be completely safe
from a cyber attack, you can definitely take measures that will make it more
difficult for today’s sophisticated cyber thieves to crack the safe.
Plan. Prepare. Prevent. These three Ps can lead to a
hopeful outcome that also begins with a fourth P: Peace.
About the Author
Matthew Goche is
director of Security Consulting at Sungard Availability Services, which helps
clients keep mission-critical information and applications available,
recoverable and secure.
Got an idea for a Blueprint column? We welcome your ideas on next gen network architecture.
See our guidelines.
