Haroon Malik, managing consultant at NCC Group
Haroon Malik, managing consultant at NCC Group

From day one, all CISOs are tasked with defining a cyber-security resilience strategy. It must support ‘business-as-usual' but also provide a clear vision for the future.

While the headlines continue to claim that cyber-security is now recognised as a key risk on all executive risk registers, that doesn't necessarily reflect the situation on the ground. Many organisations have a reactive approach to security, one that focuses on fixing known risks and fire-fighting. They tend to be heavily biased towards enhancing technological capabilities coupled with some paper controls.

There's no arguing that technology is an important element of any cyber-security strategy, but a resilient strategy also needs to include both people and culture. There must be a balance between preventive, detective and responsive mechanisms.

As a CISO, if you come to this conclusion then the next step is to think about what programmes should be incorporated into your strategy.

First things first: get the basics right. The number of attacks can be significantly reduced by implementing basic security hygiene practices such as patch management, identity and access management, privileged access control and security change management. These are the fundamentals that must be covered before there is any further significant investment.

Secondly, if cyber-security is truly a board level risk then give it the attention it deserves. Assign roles and responsibilities ideally with CxO-level accountability, and adopt robust risk management processes to ensure that risks are not only identified but also assessed for impact, managed and subsequently owned. There needs to be meaningful metrics and KPIs that monitor the success of the strategy and show where there's need to invest additional time and effort.

Traditionally, security has been about protecting the perimeter and vital applications. Although this is still relevant, CISOs need to be clear on which data will be most appealing to hackers – essentially the ‘crown jewels'. Implementing data loss prevention (DLP) technologies may provide a quick-fix in terms of monitoring data on the network, but the organisation will remain at risk without a clear understanding of the ‘crown jewels' and who has access to it.

Culture is also crucial. Staff are typically the first and last line of defence. Employees need to understand that they are part of the solution and have a responsibility to the business. You don't want them to feel like they are in a sandpit of protection provided by the organisation in which they can do anything without consequence. It's also important to have a non-punitive culture when people come forward with mistakes they've made. Improving cultural awareness must focus on instilling behavioural change that promotes extra vigilance, ownership and caution among staff.

Incident management is another element that must be covered off. There should be a dedicated team and procedures in place that deal with handling data breaches and cyber-attacks. Crucially, these must be regularly tested too. Regulatory and legal obligations in the event of a breach must be taken into account as well. The importance of a robust incident management and response process cannot be overstated. Invest time in testing your incident response capabilities and ensuring it is fit for purpose, before it's too late.

Many data breaches go undetected for months, and by that time most of the damage has been done. In the same way business intelligence enables effective decision-making, sound security intelligence should enable effective detection of threats and suspicious behaviour. This needs to look beyond traditional perimeter and signature-based solutions and explore analytics tools to discover suspicious behaviour, as well as unknown threats using behavioural and heuristic mechanisms.

Data breaches or disclosures often occur due to the actions of internal employees, which are very difficult to defend against. These are individuals who have legitimate access to data yet, either maliciously or by accident, cause a security incident to occur. The security strategy must factor in the fact that not all attacks will be external in origin.

Threat actors – be they internal or external – will likely make many attempts to steal data or compromise an organisation's assets for a variety of reasons over the course of a CISO's tenure. A strategy should accept that it will be impossible to defend against all of them successfully – otherwise the strategy is destined for failure.

A CISO's cyber-security strategy should accept that breaches will occur. The measurement of its effectiveness is the ability to detect, respond, and remediate when a breach occurs, while preventing the majority of breaches from happening.

Contributed by Haroon Malik, managing consultant at NCC Group