By Ben Densham, CTO at Nettitude
By 2021, Forbes estimates that there will be $6 trillion in damages caused by cyberattacks, a figure that exceeds the cost of all natural disasters in an entire year. However, cyberattacks and the impact they can have on organisations are now becoming much better understood, and more businesses are putting protocols and cybersecurity strategies in place to become proactive rather than reactive to cyber threats.
Creating a cybersecurity strategy involves working out what ‘good’ looks like for your business in terms of maintaining digital security, keeping cyber threats at bay and having a plan of action in place for the possibility of a breach. Your cybersecurity strategy should be a clear vision that’s well articulated, has board level engagement and is relevant to your industry. Whilst many businesses have a cybersecurity policy, this is no longer enough. It’s crucial to have a full strategy in place which instigates cultural change within your business ecosystem, and isn’t just reactive to threats but proactively ensures your business is doing everything possible to protect itself from cyberattacks.
Here are 5 steps to consider when creating your effective cybersecurity strategy:
Step 1 – Defining what an effective cybersecurity strategy is
An effective cybersecurity strategy has clearly defined goals and objectives, with measurable outcomes. Start by defining what it is you need to protect and the impact to your business if the service or asset was attacked. This will help you to work out the required level of protection for each service or asset. Once you’ve established this, there needs to be a dedicated team in place who will oversee and measure the state of your business’ security. This team should be able to challenge and question the state of your security, as well as test and verify outcomes.
Your dedicated cybersecurity team should create clear metrics and KPIs which allow you to measure how close you are to achieving your security goal and objectives. Your risk appetite and priority will also help determine an appropriate cybersecurity budget. Most importantly, it’s essential to facilitate a change in company culture, ensuring buy in from the top down to ensure ownership, accountability and belief.
Your strategy will also depend on the industry you’re in. The EU Network and Information Security Directive is focusing on critical national functions within a wide range of sectors from transport, to energy and utilities. Marine and Offshore is also developing rapidly, and as part of the Lloyd’s Register Group, Nettitude have a specific framework for safety related threats facing the industry.
Step 2 – Determining a cybersecurity framework
Whilst scoping out stage 1, you should be able to start developing a framework for your cybersecurity strategy. Your framework will give your business an organisational and operational model to base your overall approach on and covers the 5 main areas from identification of a threat, to protection, detection, response and recovery.
There are a range of frameworks to choose from but all generally fall into three categories: control frameworks, programme frameworks and risk frameworks.
A control framework is often used in businesses where IT and security infrastructure is relatively immature. In this case, the control framework is used to establish a basic set of controls to implement. Examples include NIST 800-53 - CIS Controls.
A programme framework is used to assess the state of the overall security programme, build a comprehensive strategy, measure the maturity of current programmes and conduct industry comparisons. Examples include ISO 27001; NIST CSF.
Risk frameworks are generally used by cybersecurity professionals to ensure they are managing a programme in a way that is effective for stakeholders and helps determine how to prioritise security activities. Examples include NIST 800-39, 800-37, 800-30; ISO 27005; FAIR.
Your framework should leverage aspects from each of the three categories and should be tailored to your sector, geography, business model and your own internal skillset. You can find out more info on determining your framework in our full research report.
Step 3 – Defining risk assessment goals
Before developing your cybersecurity controls, a risk assessment needs to be conducted to work out what you need to protect, where it is, and how much damage your business would face if this asset or service was attacked. Once this is established, you will be able to determine the appropriate level of controls required.
If you’re not sure where to start with your risk assessment, Nettitude workshops offer an integrated approach to understanding how to generate your risk assessment and the appropriate action to take once risk appetite is identified.
Step 4 – How to implement security controls
Your controls are essentially the security architecture of your business in which their purpose is to manage and reduce risk. The type of controls you implement will be dependent on your risk appetite as well as industry type and involves hunting for threats, identifying threats, and learning about the detected threats, then updating your database in accordance.
Controls can include –
- Establishing firewalls
- Intrusion Prevention Systems (IPS)
- Intrusion Detection Systems (IDS)
- Networking Infrastructure (Switching, Routing)
- Cloud based multi-factor authentication
- PCI environment managed services.
Stage 5 – Checking your security controls are working
As mentioned in stage one, being able to measure the effectiveness of your cybersecurity strategy against your goals and objectives is essential for maintaining a strong defence. Threat assessment provides continuous levels of assurance and involves signing off each aspect of your cybersecurity strategy, and continuous maintenance to stay on top of current and future threats.
Threat Assessment covers a wide range of aspects from vulnerability scanning, to threat intelligence data and feeds, network monitoring and traffic analysis, behavioural analysis, and deception technologies. Whilst this may seem like a large task, Nettitude are able to provide SOC monitoring services to provide you with the assurance that your environment is not only being monitored, but creates alerts and evokes an appropriate response quickly when needed.
Overall, a cybersecurity strategy isn’t something that can be developed overnight. An effective strategy is one that’s had time to mature, receive feedback and evolve alongside the threats you are facing. Ensuring adaptability to the threat landscape is the most essential part of your strategy and requires constant monitoring and maintenance.
To find out more about creating an effective cybersecurity strategy, read our full research report on the topic.