Implementation of a strong Cyber Security program is key to the success of both Government and Commercial enterprises. Implementing a successful program takes “buy-In” from the top and may require a slight reorganization and/or adjustment of duties. Cyber Security affects every aspect of your organization. It is not just an “IT” issue, it is a company, organization, or business criticality issue which can make you successful or sink your ship.
Although both the Government and Commercial businesses understand the importance of having a strong Cyber Security program, they implement it very differently.
On the commercial side, they do it to stay in business, because it affects their bottom line. For example, several of our client’s businesses rely on the customer’s ability to access their site, review/select merchandise and process payments. If they experience an attack, which temporarily removes that customer access or their ability to process debit/credit cards, then they will feel an impact to their bottom line. They need to have a strong security program in place, a practiced plan and a work around designed just for this scenario. The customers need to be transitioned to an alternate access points and the transactions continue without a break in service.
The Government’s requirements are very similar and very critical to success of organization’s Operational Missions resulting in our ability to sustain National Security for the Nation. Every unit plays a vital role maintaining security. The weakest link in the fence weakens the entire fence. The Government has a program in place to protect its data, networks and information, but the program changes in step with the changing threats. Implementation of a strong Cyber Security Program requires focus, commitment, constant monitoring and flexibility, but the most important thing we need to have is a “Guide” or model.
There are a number of excellent cyber security frameworks that provide a methodology for discussing/understanding Cyber Security. Adherence to a framework ensures that you take advantage of critical elements of information protection and defense. This applies to corporate as well as government network information enterprises.
(ISC)2 Common Body of Knowledge – 10 Security Domains
ISO 27001/27002 – 114 Controls in 14 domains
NIST SP800-53v4 – 224 Controls in 18 families
Council on Security Cyber Security Critical Security Controls – 20 Controls.
Although there are numerous frameworks, each framework has commonalities:
Functional Areas across the enterprise which provide the layered defense architecture
Security Controls which reduce the probability or severity of a risk
Risk Management which identifies protections based on evaluation of the business/mission strategy, assets, risk appetite and risk mitigation
Mechanisms for continual monitoring – audits, evaluations and validation methods
I am encouraged to see how many companies are now changing their organizations to include the addition of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). I am also seeing companies begin to take the NIST 800 requirements seriously, which is also encouraging.
Anytime I meet with a client or potential customer, I talk with them about their information security program and the types of people they need to find and hire. I push for folks that are familiar with auditing, inspections, configuration management, and have CISSP and CISM type certifications. I do this because these folks have taken the initiative to improve themselves in the Information Security arenas and this tells me something about the individuals and their work ethic.
Information Security is a challenging area and it will take all of us to thwart those would be attackers.
Please feel free to send comments or questions on implementation strategies. I have 20+ years in the security arena in both the commercial and Government environments.