What does a cyber security strategy look like?

As I was listening to one of the recent presentations, I was considering what a cyber security strategy should look like. So here goes:

All/every employee must understand the organisation’s mission. Additionally all employees must understand their responsibility to help secure the company to achieve the mission. (This is particularly notable for phishing attacks.)

Set a security mindset, security by design not as an add on

Have people at the board and all levels that own the cyber security problem, its implementation and response.

Understand your adversary and how they will attack you. Know your systems, all its end points, and all of its vulnerabilities. Have proactive intelligence on who is scanning you and try to identify why. Understand what normal looks like so you can spot abnormalities. Build trust groups internally and externally to understand your threat vectors and changes in attack methodologies, as well as exchanging ideas and best practice.

Identify and isolate what is important to you, such as your IPR (Intellectual Property Rights), customer data, financial data, etc.

Review current access and limit access to sensitive data to only those who actually need to access it and need to know the content. Not those who think they should have access. Identify your critical infrastructure and lock it down.

Be proactive and not reactive to the threats and vulnerabilities. Know when a wheel nut has come loose, don’€™t wait for the wheel to fall off before responding. Be as proactive in knowing what is leaving your network as to knowing what is trying to enter your systems.

Recognise your risks, relevant to your mission and ambitions, and have clearly defined boundaries as to what your risk appetite is.

For example:

1. Is it OK for your website to be down for 30secs, 30mins, 30hours?
2. Who are you going to call in a crisis, where is your documented IR plan written down and who can access it?
3. What do your agreements say they will do to assist you in crisis, think about reviewing their contracts?
4. What is your press statement going to look like and who is your talking head going to be?
5. Plan for breaches, anticipate breaches, rehearse and exercise your response, don’t wait till it happens so that you have to make decisions in crisis.
6. What will be your single public message? (lots of good examples out there deployed in recent events)
7. How will your staff, vendors and outsourced capability respond on Christmas Eve or even Christmas Day if you need help?

Understand how you are going to communicate during a crisis, if your systems are owned by a miscreant, it is no use using the corporate email system to decide and share your battle plan.

Still have

1. Patch management
2. Good password rules
3. Regular pen testing
4. Sans top 20 critical security controls

In the UK, I always find it is worth reviewing what the UK Government has on the subject on their gov.uk site on best practice for cyber security advice.

When it goes wrong, know who you are going to call.

Lastly, it’s all about the people, not the technology;  your people are your asset.  But never forget they can be exploited and can be a vulnerability, so invest time in educating them and getting their buy in.