“Where should I invest in security if I’m starting from scratch?” That’s a question CrowdStrike Services clients frequently ask us. We hear it from small businesses trying to weave security into their baseline operations, from startups that want to ensure they’re taking the necessary precautions, from political organizations that recognize their success depends on data security, and from established organizations that have underinvested in security in the past and want to correct course.
The answer depends largely on who’s asking the question. Any serious effort to protect an organization from cyber risks should begin with assessing what those risks are. Risks can vary considerably from one organization to another.
While there is no one-size-fits-all solution, there are some common steps that every organization should complete before attempting to answer the “where do I invest” question. This blog post considers these steps from a business and risk management perspective. A second blog will look at some of the basic technologies that can support those business objectives. In addition, we have just published a companion white paper that further explains how to build on these measures to mature your organization’s cybersecurity capabilities.
The information presented here is meant to help organizations prioritize their efforts, particularly at the outset, when the number of capability gaps far exceeds what an organization can quickly address. Thus, our guidance at times omits crucial security practices, if they are not among the first steps we believe most organizations should take.
Cybersecurity is not a purely technical endeavor. It certainly involves a lot of technology, but at the end of the day, the goal of cybersecurity is about helping an organization achieve its business goals. Good cybersecurity processes help align technologies with your business. The following are some of the foundational processes that all organizations should implement from the start.
Identifying assets involves enumerating all your organization’s resources and assessing which of them are most important. From an information security perspective, this usually means identifying what information is most valuable to the organization and where it resides in the computing environment.
In addition to knowing where that information is stored, it is also important to inventory the infrastructure that supports and accesses it — from workstations, cell phones and servers, to email applications, file shares and cloud-based services. This inventory should include the owner and business function of each resource. This should result in a catalog — not just of critical information, but also of critical systems.
The best organizations go one step further and identify which of these assets would be most appealing to attackers. Attackers often, but not always, seek the information that an organization values most. Good practice identifies both the high-value assets from the organization’s perspective and the high-value targets from the attacker’s perspective.
Identify the Risks
Most organizations that are just beginning to focus on cybersecurity haven’t fully taken stock of the risks they face. Often, they are spurred into action by a specific incident, such as an executive receiving a spear-phishing email or watching a competitor deal with the aftermath of a data breach.
However, such incidents rarely represent the unique risks that each organization faces. Attackers aren’t always after the “secret sauce” — sometimes business emails or client names are enough for them to exploit your information for advantage or profit. This is why the asset identification process should not only identify your own high-value assets, but also what attackers are likely to consider valuable. Risk identification goes a step further by considering how potential attacks will affect an organization’s business objectives.
Understanding the impact of these risks on your organization is a cornerstone on which to build a cybersecurity strategy. It is also a key element in the next process: engaging leadership.
Get Leadership Buy-In
Though cybersecurity is often viewed as a technology challenge, having good processes in place to help identify and manage cyber risks is at least as important as having good technologies.
Few efforts are as crucial as ensuring that an organization’s leadership supports security efforts. Leadership buy-in helps ensure the necessary budget and personnel to pursue cybersecurity initiatives, and it helps set the tone in the organization that security should be a priority. Leaders who engage with security early on have organizations that more readily develop a culture and management approach that embraces security. Baking these elements into an organization at the start is tremendously helpful, because it’s hard to retrofit them into a more established organization.
In most organizations, the idea of cybersecurity is still abstract to business executives. The management team responsible for cybersecurity must often define the risks associated with the high-value assets described previously. Developing a risk program that includes cybersecurity is important, and taking it to a more granular level may prove even more beneficial in gaining the appropriate level of leadership support.
CrowdStrike recommends developing a threat detection framework for this purpose. Our white paper discusses this framework in more detail, but in short, the goal is to identify the data points that you’d want to have during a cyber event, and match those items against the available data in your environment today. The gap between what you want and what you have represents the risk to your organization, and allows you to represent this risk in a succinct manner.
Establish Security Policies
One of the simplest ways that leaders can set expectations for security is by adopting and promoting policies. Security policies may not be as sexy as next-generation firewalls or advanced endpoint detection software — no one ever built a marketing campaign around a security policy — but when implemented properly they can be equally important.
Basic security policies should identify who is responsible for making security decisions. They should establish expectations for employee behavior, including what constitutes an acceptable use of company computing assets.
Policies should be enforced wherever possible. For instance, if company policy prohibits the use of file-sharing sites like Dropbox or Google Drive, access to those sites should be blocked from the corporate network. When these items don’t line up, we call that the difference between policy and reality.
Read Part 2 of this series on the technology basics that can help organizations establish a foundation for cybersecurity efficacy: “Building Cybersecurity From the Ground Up — Part 2: The Technology Basics“
For more on how to build on this foundation, download the white paper: “Where to Invest Next: Guidance for Maturing Your Cyber Defenses.”