CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | May 20229CIOReviewIT SECURITY: A PRACTICAL APPROACH2. Conduct an Internal Audit What are the most valuable and critical assets to your company? This is the same question that malicious actors will ask themselves when they are casing your or-ganization, whether it's during reconnais-sance or even if an endpoint or process has already been compromised. Yes, even pro-cesses are assets in your company, and they should be under the same scrutiny your se-curity team uses for securing systems.Identify the systems (servers, data-bases, file shares, cloud services, and oth-ers) that hold the data that is most critical to your organization. In tandem, identify the processes that are around all financial transactions.An internal audit, for example, can help you assess how you've been monitoring logs for malicious activity. You can't detect anomalies in your environment if you aren't collecting the logs. 3. Set Goals & Define PoliciesThe adage "walk before you run" still rings true, especially when managing vulnera-bilities. Setting goals and defining policies will help you navigate through complex challenges as they arise. A good example of this is patch management. When was the last time each of your systems received an update? Patch management is a critical component for any organization's security posture. Your policy should outline what systems are patched, how frequently they are patched, and how you audit that the patches were deployed successfully. Frequency should be set to an achievable goal at the offset of your security program and reduced as the patch management process is matured.4. Educate Employees at All LevelsPhishing and social engineering attacks are increasing 16 percent each year ­ do your employees know how to spot clever hackers? Security awareness training does not have to be an expensive endeavor with painful, rushed rollouts to the entire organization. Start simple with a monthly newsletter that includes important security tips. If you have the luxury of a marketing department, partner with them to help communicate a memorable message to employees. For example, a personal favorite of mine is "Trust but Verify." Remember that people are your weakest link, and when it comes to cybersecurity and dealing with important or sensitive information and financials, it is always a better idea to over-communicate.5. Evaluate & AdjustThe foundation of cybersecurity is built upon repeatable tasks that when done consistently, reduces your overall risk footprint. It's important to ensure that as your journey continues, you are au-diting yourself along the way. Are all the new assets being classified? Are you analyzing new processes as they are im-plemented to ensure security risks are being addressed?Although an internal mechanism should be in place to verify that process-es are being followed, a third-party audit from a trusted partner will help mature your practice and ensure nothing is slip-ping through the cracks.Once you're proficient at the practi-cal steps in security, the next iteration should be selecting a framework and closing additional gaps in your security practice. Some of my peers may argue that this should be done first, but I be-lieve the superior security frameworks that are available, such as offerings from NIST, ISO or CIS, should be brought into play once you've es-tablished the basics.The rollout of a successful security program is no different than the rollout of any other large project in your organization. It requires executive buy-in, dedicated personnel, a structured plan, and accountability. Your early wins should be celebrated, and a positive mentality kept during the execution of the pro-ject. When failures occur, embrace them, and push your team forward documenting these items along the way. Revisit them during your progress meetings and turn them into wins where opportunities for improvement were identified and successful-ly implemented. Keeping a positive mindset throughout your organization towards your security program will ensure the long-term viability of your practical approach to security. The rollout of a successful security program is no different than the rollout of any other large project in your organization
< Page 8 | Page 10 >