Why neither compliance nor technology alone will keep your organization safe.

Technology providers love to talk about how the adversaries don’t care about your policies and procedures. The technology providers will tell you that adversaries will use a variety of automated and manual tools, techniques, and practices to attack your organization, and that only a strong technological defense will keep them at bay. Those technology providers are right…to a point.  Without procedures for handling alerts, policies setting response requirements, and a governance program to ensure they are all properly carried out, your organization will likely suffer the same fate as Equifax and others.

What this means is that your organization needs to fundamentally embrace cybersecurity as part of its culture. This requires:

  1. a careful review and prioritization of the organization’s mission, functions, and strategies;
  2. a detailed analysis of the threats to the mission, function, and strategies;
  3. quantifying, at least at a high level, the risks associated with the identified threats;
  4. creating policies, procedures, and plans for managing those risks, including allocating appropriate resources (i.e., budget, people, equipment, etc.);
  5. building governance programs that ensure the policies, procedures, and plans are followed; and,
  6. repeating this process on a regular basis to address changes in the organization’s mission, functions, and strategies as well as the changing threat landscape.

Unless your organization embraces this approach, it will suffer from at least one of two classic problems:

  1. Assuming that since you are “compliant” with a cybersecurity framework, you are safe; or
  2. Assuming that technology alone can keep you safe.

Check-the-box Compliance does not Equal Security

Cybersecurity frameworks like NIST SP 800-171 and the NIST Cybersecurity Framework help ensure your organization’s cybersecurity program has certain key attributes, like plans for how security will be implemented in a given system (referred to as a “system security plan” or “SSP”) or how the organization will respond to certain types of incidents (referred to as an “incident response plan”). But if your organization relies solely on “check the box” compliance with those cybersecurity frameworks, your cybersecurity program will likely be ineffective.

For example, when they learn that they need an incident response plans, some organizations find one online, change the name of the company, and assume that the requirement is satisfied. Unfortunately, this is almost never true. The way one organization should respond to an incident may be very different from the way another organization should respond, even when the organizations are in the same industry. This is because the organizations have different missions, functions, strategies, organizational structures, system architectures, and much more.

Similarly, if your organization crafts a custom incident response plan but never tests it, your organization isn’t truly ready to respond to an incident. In short, unless the organization embeds cybersecurity into its corporate culture (i.e., into its DNA), the organization’s cybersecurity program will be ineffective.

Technology does not Equal Security

Embedding cybersecurity into your organization’s DNA takes time and requires a culture change. That concept doesn’t always sit well with many executives because they perceive it as a distraction and a cost center rather than a revenue generator. Many slick-talking salespeople know this, and will convince these executives that their tools or services are the “easy button” to cybersecurity, including meeting legal and regulatory requirements like CMMC. But there is no easy button, and adding more technology, on its own, isn’t likely to significantly increase your organization’s security.

In fact, the opposite is often true. Business leaders frequently assume that the new tool they bought is protecting them. In reality, the tool is likely generating alerts but, unless someone in the organization is responsible for following up on those alerts and there is someone else who ensures the responsible person actually does follow up on the alerts, the organization is lulled into a false sense of security.

Without an understanding of the unique attributes of your organization, you can’t understand its threats or the corresponding risks. In turn, without understanding the risks, including the likelihood and magnitude of the risk, your organization is likely to invest in technologies that address threats that are not relevant to your organization, or to focus on addressing threats that won’t have as significant an impact to your organization as others.

Organizational Cybersecurity Governance

That’s where policies, procedures, plans, and governance come into play. 

Policies

Policies define the organization’s expectations and who in the organization is responsible for ensuring those expectations are met. For example, one policy might be:

Employee Terminations: The HR director shall notify the CISO via E-mail no later than 10:00 AM of all terminations that are expected to be effective that day and the time(s) at which the terminations are to be effective. The CISO shall ensure that all terminated employees’ access is revoked within 15 minutes of the effective termination time.”

Clearly defining the roles, responsibilities, and expectations ensures everyone in the organization knows how they are expected to respond.

Procedures

Procedures are proactive and tell those named in the policy exactly how to meet the organization’s expectations when it comes to events that occur on a routine basis. They also serve to document the steps that should be followed if the responsible person is not available (e.g., they leave the organization). This helps ensure consistency, continuity, and a more rapid response. For example, a procedure for the policy described above could read:

Revoking Access: To revoke system access for terminate employees:

  1. Open https://portal.office.com in a browser.
  2. Login using administrator credentials.
  3. Open the Administrator console.
  4. On the left-hand side of the screen, click on Users, Active Users.
  5. In the Active Users list, click on the user being terminated.
  6. Click block sign-in.
  7. On the following screen, place a check in the “block this user from signing in” checkbox, then click the Save Changes button.
  8. Repeat for all terminated users.
  9. Send E-mail to HR director confirming that the users are blocked from signing into their accounts.”

Plans

Plans are reactive and define how your organization expects to respond to unusual or unpredictable events. For example, an incident response plan should describe how the organization expects to respond to a cybersecurity incident. Because the exact nature of the incident can be difficult to predict, plans often have more ambiguity than procedures. Nonetheless, they should define the individuals or roles, their respective responsibilities, and the steps to be followed (as much as possible) much like a procedure.

Governance

Governance provides independent validation that the policies, procedures, and plans are all being followed. It should also provide an escalation path for any anomalies. This helps ensure cybersecurity is properly embraced throughout the organization. For example, a sample governance practice for the terminated employee scenario described above might read:

Terminated Employee Access Review: On the first business day of each month, the CISO shall provide the HR director with a list of all employees with active accounts in the system. The HR Director’s delegate shall review the active account list to ensure that only current employees have access to the system. The HR Director shall report all discrepancies to the CEO.”

Summary

Cybersecurity is an ever-growing and changing field, and there are differences of opinion about how best to protect an organization. Some argue that technology is the only way to protect the organization. Others say organizations must focus on compliance, rather than technology. Both are wrong…and right. The best way to achieve a strong, effective cybersecurity program is to ensure you have the technologies in place to protect your critical assets and the policies, procedures, plans, and governance in place to ensure the technologies are used correctly.