When the CEO Asks: Are We Secure?

1/15/2018

Recently while working with another organization in the middle of the WannaCry attack we made significant changes to their systems. We ran emergency patches to some devices, adjusted the public Wi-Fi access, became even more diligent about defense in depth and pushed out details to confirm all staff were informed about how such attacks could enter even a well-protected organization.

The driving question that came down from the CIO (and from the CEO above him) consisted of three words. Are we secure? If you’re in IT and touch security in any fashion you know that question can be extremely challenging to answer. The difficulty lies in the fact that, to an IT security professional, it isn’t a single question with a single answer. It breaks down into a host of questions and issues.

Some of the underlying questions are:

Are our people aware and engaged in their part of cybersecurity?

Do we have a backup that is not continuously connected so that it can’t be compromised in case the production data is damaged or destroyed?

How do we know when we are under attack?

Can we even implement the necessary patches or do they conflict with other applications?

What can we do if it’s a Zero Day attack and there are no patches?

What system and people have access to the critical data? Is that audited?

Where do we have systems that cannot be updated due to age of operating systems that are required for specialized equipment or applications that don’t support the newer operating systems?

Who is making sure that our network equipment (routers, switches, etc.) are secure with both the most current stable OS release and in their configurations?

Are our commercial applications secure from attack? What about in house developed applications?

Do our customers, contractors and or employees have access to critical systems and applications from unsecure devices?

Who is keeping track of all of this? Is that information secure from loss or attack?

It’s like you are in a maze and every time you turn a corner another question appears, opening a new path to follow. Questions leading to more questions until you are exhausted with the dizzying array of what must be discovered and documented to answer that deceivingly simple question: Are we secure?

Is There Any Hope?

It seems impossible, but a way out of the maze exists. How do you find your way through a maze to the exit? You can use trial and error, but even if you eventually find the exit you will have wasted valuable time and resources in trying to do this all on your own.

You know what I want when I’m in a maze? A map. A map listing all the pitfalls, blind corners, areas of danger to avoid and, of extreme importance, the most efficient and safest way out.

Have you ever wondered how other organizations keep all their critical assets, security systems, protection and detection procedures, user education and cybersecurity reporting to the top leadership in order? Have you ever wondered how global entities and national governments manage their cybersecurity? They have what you want, the equivalent of a map. With it they can answer the question: Are we secure?

How to Answer the Question

The map we refer to is in the form of a plan. But it’s not a disaster recovery plan or a business continuity plan. It’s a cybersecurity plan. Perhaps you have a security plan. It explains what to do in the event of a security incident. That is a small part of a cybersecurity plan…the incident response part.

A cybersecurity plan covers every area related to cybersecurity. From the all-encompassing mission of the organization down to the tiniest minutia such as how you handle a virus on a single machine in your smallest office.

Once you have the plan in place you can quickly answer the question Are We Secure? in every area related to cybersecurity. As more insidious threats emerge and new technologies come on line you refer back to the plan for dealing with them and over time improve the plan from what you learn.

How to Create the Plan

The idea of developing an overall cybersecurity plan may seem daunting, but I have good news! Others have gone ahead of you and blazed the trail through the maze. In fact, the United States government has worked and continues to work with industry leaders in all areas of critical national infrastructure to create a powerful framework to allow you, and any other organization, to create your own cybersecurity plan.

This framework shows exactly where and how to look at what you already have for cybersecurity and determine what you need to make your organization more secure. It contains best practices and methods that have been used for years by top businesses to manage their cybersecurity.

What is this Framework?

The NIST (National Institute of Standards and Technology) created the NIST Cybersecurity Framework in response to an Executive Order from the President of the United States. NIST sought input from multiple industry leading organizations and has worked with them to continuously revise and improve the framework.

Any organization, no matter how large or small, can use this framework to analyze their current cybersecurity posture, create a plan to implement necessary changes and put in motion processes for continual improvement as the cybersecurity landscape changes. Here at LRS Education Services we can help you meet this audacious goal.

How Do I Learn More?

We offer three options for getting up to speed about the NIST Cybersecurity Framework (NCSF) and its implementation:

The NCSF Foundation Certification Training Course is a one-day overview that outlines current cybersecurity challenges and trains on how organizations that implement an NCSF program can mitigate these risks. This program is focused on candidates who need a basic understanding of the NCSF to perform their daily jobs as executives, accountants, lawyers or information technology professionals.

The NCSF Practitioner Certification Training Course details the current cybersecurity challenges plus teaches in depth the University of Massachusetts Lowell NCSF Control Factory Methodology on how to design, build, test and manage an NCSF cybersecurity program. This cybersecurity training course is focused on candidates who need a detailed understanding of the NCSF to perform their daily roles as cybersecurity engineers, testers or operations professionals.

The NCSF Bootcamp Certification Training Course combines the overview from the Foundation course with the in-depth information of the Practitioner course. Taking the boot camp gives students the opportunity to see how the NIST Cybersecurity Framework applies at all levels of the organization with the big picture and critical basis of understanding in Foundation all the way through the nitty gritty details of planning, implementation and improvement for cybersecurity in every area in an organization covered in Practitioner.

Don’t Be the Next Victim

With new cybersecurity breaches appearing almost daily it is important for organizations to be as secure as possible while still meeting the needs of their customers, partners and staff. Implementing the NIST Cybersecurity Framework will allow you to continue moving forward in a secure fashion while keeping your business running the way it was intended. You don’t want to be in the news as the next victim of a cybersecurity breach. Sign up today for one of our NIST Cybersecurity courses!