Picture it: A righteous insider cracks the code of an evil corporation; a silver bullet product thwarts the most brilliant hacker; a superhero network operator notices a blip on the wire and prevents catastrophe. It’s easy for most enterprises to get sucked into unrealistic narratives like these when thinking about cybersecurity.
The reality is somehow both less exciting, and higher-stakes: Most enterprise cybersecurity practices wouldn’t make it into a blockbuster movie but they’re crucial to keeping key assets protected. Cybersecurity requires a long view and careful persistence. While there’s no easy fix, there are a few things your enterprise can do to get ahead in the security game—and stay there.
Identify Your Most Crucial Risks
Security is an overloaded term. It can mean many things, and one size definitely does not fit all. Depending on the context, “cybersecurity” could cover anything from fundamental concepts (integrity, authentication, privacy) to general fields of work (network security, information assurance, disaster recovery) to specific kinds of attacks (data exfiltration or denial of service) to practices and products around any of the above.
But it’s crucial to get real about your enterprise’s particular needs and practices. Cybersecurity is an incredibly lopsided game: A single point of weakness is all a determined, well-funded attacker needs in order to win. And since it’s impossible for any enterprise to be completely perfect, things can feel pretty grim.
Of course, your enterprise doesn’t actually need to be completely perfect. Contrary to popular belief, attackers aren’t omnipresent and indiscriminate and are often both resource-constrained and focused on a particular goal. So when determining your enterprise’s cybersecurity needs, it’s imperative to think about its individual risk profile: What are the goals and resource levels of a likely attacker? What degree of protection do you need, and where do you need it, to stop them?
Do you barely touch any user data? You can forget protections aimed at companies for whom it’s central. Is top-secret IP vital to your success? You’ll want to focus on protecting that more than other things. Does everything hinge on the integrity of a single workflow? There’s the place to spend your effort.
This process of determining your enterprise’s most important assets, and how to protect them, is called a “crown jewel analysis.” You can make them as procedural and complicated as you like, carry them out entirely internally or with the help of an outside contractor. For the purposes of this column, let’s focus on the high-level goals of such an analysis instead. Step through the following exercises, and you’ll be in good shape:
Identify the key processes or data your company couldn’t do without.
Make a quick list of the critical security property(ies) you think each one needs: Integrity, confidentiality, authentication, availability.
For each property you’ve written down, ask why you think that property is critical for this asset. Then ask “why?” again, four more times. This “five whys” technique helps you drill down either to the core reason you need a protection, or to the realization that you don’t actually need it after all. Eliminate the key items or properties that aren’t truly crucial.
Now, step backward and think about the things upon which your key assets rely. Do these dependencies result in any additional needs to consider?
Once you have a complete list of protections you need for key assets, identify the mechanisms providing them.
There’s a good chance you’ll have at least a few gaps in your protection or guarantees. These gaps form your top risk priorities. For each one, work within the planning process for your enterprise to identify next steps, timelines, resourcing, etc.
If you go one step further and rank the identified priorities, you’ve given yourself a clear backlog of security tasks. This turns your cybersecurity concerns from nebulous worries to crisp next steps. (And goes a long way toward ensuring your organization is prepared.)
Follow Best Practices
Best practices aren’t the most exciting topic, but following them is a huge piece of any smart security strategy.
That’s because at the end of the day, cybersecurity comes down to economics. All of the save-the-day-brilliant geniuses in the world won’t help you if your company is the least expensive one to attack. Consider two enterprises: Company A has a crack team of 5 cybersecurity experts doing some custom, advanced monitoring but allows each group to manage their own patching and often has lots of out-of-date systems on their corporate network; Company B uses standard monitoring tools but pushes fresh patches to every machine on their network daily (and makes sure, with regular scanning, that they know exactly what machines are on their corporate network). Which do you think is the more attractive target for your standard attacker?
Security-smart organizations use best practices to drive up an attacker’s costs (and hence encourage them to go elsewhere.)
There is a bewildering collection of buzzwords around security best practices—and plenty of companies to sell you tools implementing them. In fact, there are so many commercial options it’s hard to act on them all. However, having a risk assessment cuts through the clutter. Your internal security team will be able to identify and prioritize the most crucial procedures and products for your enterprise.
All companies need robust capabilities in these main areas:
Network security configuration,
Identity and access management,
System configuration and updates
Add those protections critical to your risk assessment, and you’ve got a great place to focus your efforts. Now, prioritize the resources to make it happen.
When I was starting my own small business, for example, I knew I had a fairly low-risk profile. My core products had nothing to do with security, my audience was likely to be tiny, and I didn’t store gobs of personally-identifiable data. Following basic best practices for cybersecurity was sufficient for my level of risk.
For businesses like mine, an easy way to follow lots of best practices at once is to use a cloud-native environment for your applications. This let me hire out everything on my core security checklist for a small set of monthly fees. Our platform service provided secure system configuration, patching, and basic secret-handling hygiene; we purchased additional logging, analytics, and security monitoring services; we got basic DDoS protection from our content delivery network. As a bonus, choosing to run my custom Django app in a cloud-native environment also allowed me to spend my time on my core business offerings instead of maintaining infrastructure.
Honestly, I had things pretty easy. But even for larger businesses with increased risk, the virtualization present in a cloud-native infrastructure offers an important boost to best practices. System separation, automated security configuration management, and ephemeral environments are all great examples of the inherent security capabilities of virtualized systems. (For more on these topics, check out the Three Rs.)
For sophisticated organizations with unusually high-risk profiles, customized virtual environments can form the basis of even more advanced monitoring capabilities. But truly moving beyond industry best practices requires organizations to do one further thing:
Get A Little Agile In Your Security Thinking
Typically, an organization’s security groups are used as late-stage gatekeepers acting as the final line of defense ensuring an enterprise’s safety. Products that don’t pass review get delayed. Late-stage mitigations are typically much more costly than different design choices. The whole process of interacting with the security group can be frustrating enough that business units try to avoid doing so altogether.
But there is a different way. Start by empathizing with your security team a bit. Nobody wants to spend their workday saying “no” to progress! The enterprise has tasked them with protecting against a constantly-expanding set of attacks. They’re rewarded for a lack of incidents, and incentivized to err on the side of safety.
Bring your security team into your development processes from the start. This will reduce both wasted work and risk. What’s more, this approach is effective for more than just low-level product teams. You can transform the way you work with your security team at all levels of an organization:
At the senior leadership level, pull your Chief Security Officer into new business opportunities. They’ll be able to identify systemic and/or market-based risks early on. This can keep you honest about potential costs, and start everyone thinking early about necessary protections as new capabilities are developed.
Within an individual portfolio, architects and senior managers can work with security personnel to identify ahead of time which certification and accreditation requirements will need to be met. Bringing your assessor in early ensures they understand your security protections from the ground up. (They may even help you design some.) Your security practices will be cheaper to include and more effective—and the assessment itself will go much more smoothly.
At the product level, there’s an increasingly robust set of automated security practices that developers and product managers can work into their daily routine. Basic secure coding practices are a great start. There are lots of other great options: Include security-specific tests in your test-driven-development cycle to help preserve security guarantees through code changes. Build predictable and repeatable continuous integration/continuous deployment pipelines to identify unexpected consequences early enough to fix them easily. Make tools that automatically produce documentation for future audits or assessments. The list goes on.
Wherever you are in your organization, leverage your security team’s creativity by engaging them from initial design all the way through product release. Doing so reaps huge dividends in eliminated risk and waste. And as a bonus, by working closely with your security team, others in your organization will pick up a little of the “security way of thinking”, too.
You Don’t Need To Be Perfect
I’m not going to lie. Cybersecurity for the enterprise can seem complex and downright grim. There’s intense pressure to be perfect—which is impossible; intense pressure to treat everything in your organization as a crown jewel which is unlikely; and intense pressure to focus on the unrealistic-but-exciting scenarios instead of making sure the machines on your network are patched. (Guess which practice will actually help you.)
But here’s the good news: At the heart of it, you don’t need to be perfect to win the cybersecurity economics game. You just need to be more expensive to attack than most of your peers. And that’s a far easier problem to solve. My advice is to:
Carry out a realistic risk assessment: Identify your most crucial corporate assets and their core security requirements. Ruthlessly check your assumptions.
Take a thoughtful approach to best practices: In addition to addressing your core risks, carefully configure (and patch!) your systems and network. Use best practices around identity and access management. Monitor well so that you know when something’s gone wrong (and have a procedure in place for when it does).
Talk to your security team early and often: Use your cybersecurity team’s creativity to identify problems and develop mitigations throughout your product lifecycle. This keeps your enterprise safe in the smoothest, least-expensive way possible.
If you’ve identified your organization’s points of highest concern, you have a handle on best practices, and you’re using your security team proactively? You’ve got an incredible advantage in a very tough game.
About the AuthorMore Content by Amy Herzog