CHRISTINE VANDERPOOL, VP IT SECURITY & CISO, FLORIDA CRYSTALS
Imagine you are on a hike in the woods. Maybe it is a path you have taken before, or maybe it is brand new. Regardless, upon undertaking the journey, one thing is clear. You must be prepared. Prepared for a storm, prepared for detours and closures, prepared for attacks and overall prepared for the unknown. Take a moment to place yourself in that situation under multiple adverse conditions and add another aspect to the circumstances, you are now also lost.
This scenario should feel familiar to all Chief Information Security Officers who are building a cyberprogram for the first or even the fifth time. We have all been on a journey or path that we were prepared for knowing full well of the unexpected that may and will most likely occur. We have also all had a moment where we felt lost. So how can we be ready, really ready to take the journey? The key is overcoming the feeling of being lost is to remember the essentials.
When building your program, if you begin to realize you may be lost, the key is to stop, stay calm and remember that panic is your greatest enemy. The next step is to think. Take a moment to think about where you are and where you want to go. Do not proceed until you know what step to take next. Thirdly, observe your situation. Look for familiar cues or clues that will guide you back to your original path. Lastly, determine a plan. Based on your thinking and observations, determine a plan or if you had a plan that did not go accordingly, rework it. Think through the options and then act accordingly.
To have a plan that can be actioned on successfully, have your essentials handy. First, you will need the fuel to feed the plan just as you would need plenty of food and water if lost on a journey. This means capital and ongoing operating budget. Understand your capital both human and financial. Many CISOs struggle in this area. They have difficultly building a successful business case that is fit for purpose and aligns with the larger strategy including financial guardrails. I highly suggest anyone building a cyber program identify all current security costs and look for areas to repurpose those operating expense funds to services and tools that provide stronger coverage and potentially even a return on the investment.
Next, you need your map. A map provides the guidance and path forward to help you from staying lost or even getting lost from the start. I prefer using a framework or standard that is already tried and true. I personally have based my programs on the NIST framework. The ideas of building coverage in the five areas of identify, protect, detect, respond and recover helps outline a perfect map for a program that you can easily continue to mature and develop over time.
A journey would not be complete without a compass as well to help you determine which way to head to next. For my compass, I like to use a condensed version of the Lockheed Martin Cyber Kill Chain. Just like a compass, north is always north, south is always south, west is always west and east is always east. Cyber-attacks always happen in the same manner. If you focus on reconnaissance, infiltration, lateral movement and exfiltration or objective, you can find your way around your cyber program and identify which direction is the best direction at that movement to focus on or more forward against.
Lastly, never forget your essential tools. In order to be fully prepared for whatever journey you embark on taking into account you never know what could happen along the way, focus on the fundamental tools. You need your sturdy boots, clothes for all weather conditions, a blanket, flashlight, water bottle and anything else that will help you survive if needed. Start with the “known” or basic essentials for your program and build on it over time. A strong endpoint tool, a monitoring tool like SIEM, a good incident response plan, strong policies, good end user education, a solid identity strategy and basic provisioning tools are all solid essentials to have in your survival kit.
The final key to not getting lost on your journey to build a great cyber program is once you have the plan, don’t forget to communicate it well and make sure key stakeholders understand your path and take others along with you. Give them the right level of details of where you are going, what path or map you are following, what essentials you have at your ready and ultimately the timeline and end goal of the hike. Remember that along the way, if you do get lost at any time, the most important tool you have is keeping a positive attitude.