How can you assess and improve your security posture?

In my experience, there has never been a book, or process I can hand to the team that "fits" perfectly into our org. It has always been a revised , customized or enhanced version based on the culture, the product approach/security approach to what we are trying to accomplish. ISO Standards, NIST, etc, are excellent, time-tested frameworks that have always been the structure to these customized approaches, but neither have ever been 100% implemented as written.

Assessments like this feel like you are boiling the ocean. It's a rabbit hole. Perform a business impact analysis for disaster recovery. All senior managers will have their own ideas, what does the board think? Ask for 15 mins at the end of a board mtg, use very simple language but engage them. What functions can the business not live without for a minute, hour, day or possibly a month? They will have a strategic view of business priorities. Forget hackers for the moment, a tornado or flood can just as easily put a company out of business. When you know their priorities, then look at ALL dependencies including technology then apply threats, likelihood and impact. The shopping list of controls will present itself. Then apply the cyber lens.

It should be a list of all assets available within your organization and based on BIA and Rish Assessment to determine which one will have a high priority to protect. The list and how to put the weight number of assets, application, or business will depend on risk appetite and the company's strategy. Then, the Threat Modelling technique will support figuring out the potential threats.

In the contemporary world of interconnected digital environments, the key to establishing a resilient security framework lies in the ability to identify both your invaluable assets and potential threats. This foundational awareness not only forms the bedrock of your protective measures but also empowers you to take proactive steps to safeguard your digital ecosystem. To effectively protect your organization, you must first pinpoint the essential elements that drive your business and ensure its continuity. From sensitive data repositories to critical software applications, understanding the intrinsic value of these assets is paramount.

Recognizing your assets and threats is a crucial part of strengthening your security stance. This process involves understanding the valuable elements within your organization and being aware of potential risks and vulnerabilities that could compromise them. It serves as the groundwork for implementing protective measures and ensuring the overall security and resilience of your systems and data.

Frameworks and standards make up a good starting point but they do not have all the answers to the specific security requirements related to your organization. This part of the exercise is your responsibility to take on as a security practitioner. You are there to support your organization to fulfill the security requirements specific for your needs. You cannot outsource or assign this responsibility and task to a framework or standard. A standard or framework will never provide you with this answer. Use them as a starting point and do the rest of the exercise together with your business stakeholders in your organization.

Depending on the organization maturity moving from low maturity with ad hoc cybersecurity activities , to a framework or compliance based security provides many benefits especially in establishing cybersecurity hygiene in the organization, however, the focus should be to reach a risk based approach for managing and improving cybersecurity activities and practices. The risk based approach allows the organization to adapt to new threats and changing cybersecurity landscape as well as facilitates focusing on the most critical assets. Also the compliance based approach can give you a false sense of security.

Customers, partners, regulatory pressures will likely have ideas on what you must have. Pick something right for the business. They all have core similarities (just different marketing teams). Don't get consultants in, do it yourself and quiz your own managers. You will better understand the business. They will understand your reasoning so when the additional paperwork, governance and requests for controls come their way, they are a tiny bit more invested. And it's likely you'll do this more than once and maybe different schemes. Whatever you learn from doing a free CIS assessment can easily be applied to 27001 and others. Don't boil the ocean, after all we say all the time 'security is everyone's responsibility'. Own it but know why.

It is not a matter of simply choosing a singular monolithic security framework. Security practitioners and senior leaders should endeavor to abide by the best principles from all security frameworks and integrate them best based on their unique organization. All these frameworks offer a means of achieving security, but they come from a variety of perspectives and influences. Do not overlook any single one.

Frameworks like ISO 27001 and NIST are often seen as the gold standard. However, they might not be a one-size-fits-all solution. Sometimes they add complexity without directly contributing to actual threat mitigation. In some cases, businesses might be better off with a customized set of guidelines that precisely address their unique risks. Know what your organization needs and how it operates, use frameworks as a baseline, and tailor them to your specific environment.

When considering security controls you should have the foundations right: know what you have by. carrying out a comprehensive audit of your current landscape, remove default accounts and default passwords, and regularly review accesses and privileged accounts, remove unused ports and protocols, ensure timely vulnerability analysis and patching, strengthen your devices & systems configurations (servers, network devices, applications, databases, interfaces, IoT, ..).

Once you understand where you stand from a cyber security maturity perspective, build an action plan to address those issues - as time, money and other resources permit. Too often a company has a maturity assessment, understands what is needed in order to improve and then fails to create an action plan and/or act on it!

In my experience, the controls that get the most attention are the technical controls. To a certain extent, it makes sense. They are shiny and sexy. They have lights and send alerts! But technical controls are only 1/3 of the solution: don't forget about your operational and management controls. They can be critical to helping secure your organization.

Absolutely, implementing security controls is like putting on armor for your digital realm. Whether it's the technical muscle of firewalls, antivirus, encryption, and backups, or the administrative wisdom of policies, procedures, training, and audits, these controls are your defenders against cyber threats. To make it a smooth ride, ensure your chosen security controls align seamlessly with your selected framework. Tailor them to tackle the unique risks and needs of your organization. And don't forget the paperwork! Document everything about your security controls—how they're configured, how they perform, and how they're maintained. Think of it as creating a superhero team to safeguard your digital kingdom.

Implementation goes beyond mere installation. It's about holistic integration—ensuring controls don't just exist but are aligned with your organization's DNA. Consistent reviews and updates are crucial. In the dynamic landscape of cyber threats, stagnancy is vulnerability. And remember, human-centric controls, such as awareness programs, are as imperative as any high-tech solution.

Effectively monitoring security requires focusing measurements on outcomes rather than outputs. There is often information overload from an avalanche of alerts, endless dashboards and metrics. But reading more alerts or tracking log data after a breach does not help in measuring the program. Develop key performance indicators tied to proactive threat prevention and rapid response, security leaders can cut through the noise and demonstrate how their programs substantially reduce business risk. The goal is not more data, but measurable risk reduction. The key metric is minimizing time between a vulnerability arising and its remediation. Shortening this window of exposure limits the impact of potential attacks.

While it's important to monitor and measure, it can as well be distracting and overwhelming to keep track of hundreds of different metrics, dashboards and scorecards, and that's a common pitfall for technical staff. Very often simplicity is key as at the end of the day, security is a supporting function for the business and it should enable it, rather than exist on its own, therefore some of the KPIs and KRIs should be easy to understand by the Senior Management or Board Of Directors and help them measure the ROI from the Information Security programme.

This is probably the toughest part. To know how something has improved or is failing is tough to measure. Is it worth measuring how many spam messages you get, or how effective the tool is, how many false positives, how many true positives? Do you care how many vulnerabilities a system has or how quickly they are patched? Or how long your attack window was? MTTC is that as important as MTTD or MTTI? Picking the right metrics can really help you justify additional resources, training, tools etc. Then improving those scores after the money has been spent, you'll be demonstrating value to the business and more likely to invest further. NEVER be afraid of poor results, use them to show opportunities to improve, there are usually reasons for it.

One of, if not the most important aspect, of any cyber security program is monitoring progress over time. Not only monitoring to see how well we are doing in various areas and pat ourselves on the back where we are doing a good job, but to also identify opportunities for improvement. The main goal of any cyber security program should be to grow over time.

Monitoring and measuring your security performance is like having a fitness tracker for your digital well-being. Set clear security goals, regularly check metrics to understand how well you're doing, and dive into data from logs, alerts, and feedback. Visualize results with dashboards and benchmarks, and compare your performance with industry standards. This ongoing check-up not only keeps your digital health in check but also guides continuous improvement. Stay vigilant, keep measuring, and watch your security resilience thrive!

Frameworks come and go, they get revised (usually to keep the bodies behind them relevant)... New technologies that the business can exploit appear every day. So do vulnerabilities, threat actors get better, faster, Nothing stands still. Neither can the security. Sometimes it's an upgrade from an IP filter, to a stateful firewall to an application firewall or WAF or beyond. I think the cloud is evidence enough.

Measuring security posture means something different to every company, and it's a highly subjective matter that the understanding of should be the same across the business and information security functions.

Keeping your security in top shape is an ongoing process, not a one-time deal. Schedule regular reviews and adjust based on changes in threats, tech, regulations, or business needs. Evaluate and fine-tune your security controls, adapting to the evolving landscape. Document your journey, report your findings to stakeholders, and stay agile in upgrading your digital defenses. Remember, security is a living, breathing entity. It evolves, and so should your approach to it. Stay agile, keep reviewing, and ensure your security posture is always at its prime!

Updating your security posture is a collaborative, ongoing process between security, IT, management and end users. It requires continuous review and adaptation, not sporadic fix-and-forget efforts. Policies, controls and plans should be reevaluated at least annually, as well as after major events like new regulations, critical infrastructure changes or application updates that alter data access. Regularly test the effectiveness of controls through audits and exercises. Document deficiencies, opportunities for efficiency gains, and steps to enhance defenses. Report status to key stakeholders, implementation teams, and leadership. View these audits as learning experiences, not punitive measures.

For example, the rise of generative AI technologies could introduce new types of threats that weren't previously considered. In such cases, merely sticking to established security controls may not suffice. Instead, a periodic review and update of your security posture are crucial. This involves re-evaluating the effectiveness and efficiency of your current security controls and making adjustments to counter new risks effectively. Rather than solely relying on documentation, real-time reporting tools can offer dynamic updates to key stakeholders about any changes in the organization's security posture. By keeping up with evolving technologies and threats, you enhance your organization's resilience and adaptability in security environment.

As i keep repeating what halvar said in 2017 : offense is technical, defense is political. More important questions for me would be. 1. Why are you doing this? 2. Whats the budget? 3. Whats the headcount available? If motivation is a specific requirement: work will be done to meet that requirement to bare minimum level. anything above bare minimum would need to be looked at as a budgetary scenario in most organizations. If high budget but low headcount: offload as much as possible on other entities/ vendors. If low budget, high headcount: bank on OSS as much as possible If you are aligned with management goals you will have a better chance at getting things done.

Five things I look for when evaluating an organization's cybersecurity program: 1. Does the organization know WHAT is on their enterprise: hardware, software, critical information stores, etc.? 2. Does the organization know WHO is on their enterprise: How do they do AMD/C? How are contractors managed? How is remote access achieved? 3. Does the organization have a forensic capability as part of a robust incident detection and response process? 4. Does the organization have a crisis or risk communications plan as part of their BCP/DR process? 5. How often is the organization testing full restoration from backups?

Following essential pillars should also be considered to help improve the overall security posture - 1. Defense in depth: Ways to implement end to end security & avoid single point of failure. To protect endpoints, network, application, data. 2. Least privilege: RBAC, JIT, PAM are some ways to ensure access is granted on need basis only & for limited time. 3. Separation Of duties: Roles should be properly identified and evaluated on timely basis. Avoid single point of control. 4. Secure design: Follow security best practices/ frameworks while designing software to prevent security misconfigurations in applications. Eg: secure SDLC, DevSecOps approach.

Run purple teaming exercises. Identify gaps across people, process and technology. Establish cybersecurity program to prioritise the gaps and to remediate them.

Cybersecurity is as much about technology as it is about culture. Building a culture of security-first thinking, where every stakeholder, from the intern to the CEO, is a vigilant gatekeeper, can transform an organization's security posture. Sharing and learning from past incidents, whether internal or from peers in the industry, can offer invaluable lessons, ensuring history doesn't repeat itself.