As a newly appointed information security leader, the first few months are critical to setting the foundation for a successful security program. During this period, it’s important to prioritise understanding of the organisation’s current security posture, establishing a baseline, and implementing quick wins to improve security.
In this post, I will primarily concentrate on Cyber Control Frameworks. Nevertheless, I encourage you to check out my other article titled Building an Enterprise Security Program From Scratch.
Here are three key steps that you should consider in the first 90 days:
Determine what we are going to measure ourselves against
Identify the organisation’s goals and objectives, and align it with the right security framework establishing a clear set of benchmarks and a common language around security, ensuring that everyone in the organisation is working towards the same goals.
Check where we’re at; take a couple of assesments
Once you have a clear understanding of the organisation’s goals, conduct a series of assessments to evaluate the current state of the security program.
Start implementing prioritised security initiatives and establish baseline
Starting a few key initiatives during their first 90 days is important. This can include low-hanging fruit, such as improving multi-factor authentication coverage, streamlining the patch management processes, and enhancing employee security awareness training. By implementing these early on, you can establish a baseline for measuring progress and building momentum towards larger, more complex security projects.
What is a security framework?
Similar to how a motherboard serves as the foundation for a PC’s construction, a security framework provides the structure for implementing a comprehensive security program. By adhering to a security framework, organisations can ensure that they address all necessary security areas and implement security measures that are suitable and effective for their unique requirements.
While building a computer, it may be tempting to design your own motherboard, or create a customised framework. However, in the realm of security, it is generally not recommended to create your own framework. If you create your own security framework instead of using an industry-approved or government-approved one, auditors may question the organisation’s decision during audits, potentially leading to increased scrutiny and scrutiny of the organisation’s overall security posture. These established frameworks have been developed through years of research and experience, and are recognised as industry standards.
There are three main types of security frameworks that organisations can use to establish a comprehensive security program:
- Control frameworks
- Program frameworks
- Risk frameworks
Control frameworks
These frameworks offer a catalog of security controls that organisations can use to address specific security risks. Examples include the Center for Internet Security (CIS) 18 Critical Security Controls and the National Institute of Standards and Technology (NIST) Special Publication 800-53.
Program frameworks
These frameworks provide a holistic approach to security program development, covering all aspects of the program including governance, risk management, compliance, and incident response. Examples include ISO 27001 and the NIST Cybersecurity Framework (CSF)
Risk frameworks
These frameworks provide a structured approach for identifying, assessing, and prioritising security risks. Examples include the Factor Analysis of Information Risk (FAIR), ISO 27005, and the NIST 800-39.
How it all fits together
Continuing with the analogy, building a computer requires selecting the right components and assembling them correctly. This is where control frameworks come in, these provide a catalog of computer parts (security controls) from which you can assemble a computer.
However, having the right parts isn’t enough to build a functioning computer. You also need a manual that outlines the steps for assembling the parts correctly. The program framework is like a manual that gives step-by-step instructions on how to assemble the computer using the parts catalog. It provides guidance on the order in which components should be installed, how they should be connected, and how they should be configured.
Finally, the risk framework is used to protect the computer from potential threats. This involves identifying potential risks and vulnerabilities, assessing their potential impact, and implementing measures to mitigate or eliminate them. The risk framework also provides feedback for continuous improvement to build better parts, or security measures, for protecting the business.
Closing
In summary, just like building a computer, establishing a comprehensive security program requires selecting the right components (control frameworks), following a step-by-step guide (program frameworks), and protecting against threats (risk frameworks). By using these different types of frameworks together, organisations can establish a strong security foundation, comply with industry regulations, and defend against potential cyber attacks.