Building Effective Cybersecurity Programs
eBook - ePub

Building Effective Cybersecurity Programs

A Security Manager's Handbook

  1. 249 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Building Effective Cybersecurity Programs

A Security Manager's Handbook

About this book

You know by now that your company could not survive without the Internet. Not in today's market. You are either part of the digital economy or reliant upon it. With critical information assets at risk, your company requires a state-of-the-art cybersecurity program. But how do you achieve the best possible program? Tari Schreider, in Building Effective Cybersecurity Programs: A Security Manager's Handbook, lays out the step-by-step roadmap to follow as you build or enhance your cybersecurity program.

Over 30+ years, Tari Schreider has designed and implemented cybersecurity programs throughout the world, helping hundreds of companies like yours. Building on that experience, he has created a clear roadmap that will allow the process to go more smoothly for you. Building Effective Cybersecurity Programs: A Security Manager's Handbook is organized around the six main steps on the roadmap that will put your cybersecurity program in place:

  • Design a Cybersecurity Program
  • Establish a Foundation of Governance
  • Build a Threat, Vulnerability Detection, and Intelligence Capability
  • Build a Cyber Risk Management Capability
  • Implement a Defense-in-Depth Strategy
  • Apply Service Management to Cybersecurity Programs

Because Schreider has researched and analyzed over 150 cybersecurity architectures, frameworks, and models, he has saved you hundreds of hours of research. He sets you up for success by talking to you directly as a friend and colleague, using practical examples. His book helps you to:

  • Identify the proper cybersecurity program roles and responsibilities.
  • Classify assets and identify vulnerabilities.
  • Define an effective cybersecurity governance foundation.
  • Evaluate the top governance frameworks and models.
  • Automate your governance program to make it more effective.
  • Integrate security into your application development process.
  • Apply defense-in-depth as a multi-dimensional strategy.
  • Implement a service management approach to implementing countermeasures.

With this handbook, you can move forward confidently, trusting that Schreider is recommending the best components of a cybersecurity program for you. In addition, the book provides hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Building Effective Cybersecurity Programs by Tari Schreider, Kristen Noakes-Fry in PDF and/or ePUB format, as well as other popular books in Business & Insurance. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Rothstein Publishing
Year
2017
eBook ISBN
9781944480509
Topic
Business
Subtopic
Insurance
Index
Business

lock


Chapter 1

Designing a Cybersecurity Program

My experience has shown that most cybersecurity programs do not originate from a comprehensive design. Rather, they tend to evolve based on disparate opinions of stakeholders who often change strategies and approaches without considering or addressing fundamental design problems. Your organizationā€™s success in defending against internal and external bad actors will hinge on the completeness of your cybersecurity program. As a manager involved in cybersecurity within your organization, how can you ensure that you have all the right pieces of cybersecurity in place to close any gaps that might serve as hidden passages of attack? The answer is to follow a prescriptive design approach that blends experience-based guidance with authoritatively sourced resources. Adopting this approach not only identifies the gaps, but it leads to the development of cyber-gates to block intruder passages.
Cybersecurity program design will require you to know a little something about systems architecture, including blueprints, frameworks, and models. This chapter allows you to go to the front of the line, bypassing years of training and working in the field. Your pass to the front of the design line comes from my sharing of approaches to designing cybersecurity programs that have served me well over the years.
This chapter will help you to:
  • Learn that investing the time and effort to properly design your cybersecurity program is tantamount to its success.
  • Create a properly structured cybersecurity program.
  • Leverage good practices to improve your cybersecurity program design.

1.1 Cybersecurity Program Design Methodology

Over the course of my career, I have either developed or assessed over one hundred comprehensive cybersecurity programs. Going by Malcolm Gladwellā€™s 10,000-hour rule, I qualify as an outlier on assessing cybersecurity programs. This experience has granted me the insight that there are certain common denominators of the most successful programs; these are the focus of the chapter. I will share with you the good practices I observed across the many cybersecurity projects I have been involved with. Depending on the size of your organization and scope of your program, you may wish to eliminate or combine some of the components I present. I begin with components that address the overall management of the cybersecurity program and end with components that address the daily management of program countermeasures. The order of the components is less important as each component operates in parallel with one another.

1.1.1 Need for a Design to Attract the Best Personnel

Cybersecurity programs rely on talented contributors and their retention. A properly organized program enables personnel to see how they contribute to the programā€™s vision and mission. To help you achieve the proper program structure, I provide what I believe is an ideal state blueprint. Trust me when I say that in todayā€™s highly competitive cybersecurity jobs market, attracting and maintaining personnel will be a challenge. If you build a program that is disorganized and messy, it will be difficult for you to attract anyone to man the ship.
If you look at the various security architecture and design books available, most will be hundreds upon hundreds of pages that I know most of you simply do not have the time to read. This book is much different; it focuses on just what you need to know. This chapter sets your journey in motion by discussing the basic design considerations of building a cybersecurity program. When building anything, it is best to have a methodology to follow. Dozens of methodologies exist by many names, but their message is the same: There is a sequence to follow when building something if you want it done right. What I learned quickly was that unless you follow a design methodology, the results of your efforts will be unpredictable. For example, if you wait to align your program with the business, you risk facing an expensive program redo when your stakeholders inform you that you have managed only to create an inhibitor to their business. Cybersecurity program staffing and personnel issues are discussed in Chapter 6.

1.1.2 A Recommended Design Approach: ADDIOI Modelā„¢

After doing my first dozen or so programs, I realized that the approaches I had been using lacked an emphasis on services and processes. They aligned more with building a physical product. I needed an approach which would accommodate building something that was service oriented. Figure 1-1 is what I refer to as the ADDIOI Modelā„¢ (align, design, develop, implement, operate, and improve). It has proved quite useful over the years.
I arrived at my methodology by adopting phases of the ADDIE Model (analysis, design, development, implementation, and evaluation). ADDIE, originally developed in 1975 for the US Army by what was previously known as the Center for Educational Technology at Florida State University (Forest, 2014), provided about 80% of what I was looking for in clarifying my approach. ADDIE has been adopted and modified by hundreds of consulting companies throughout the world.
Starting with the ADDIE Model, I made subtle but important changes in constructing my ADDIOI Model (align, design, develop, implement, operate and improve) methodology. The first difference is that I declare analysis as a process within the align phase to emphasize alignment to the business from the start. I added operate as a phase to emphasize the design was oriented toward processes and services. While my phase that I call improve is the same as evaluate in the ADDIE Model, I named the phase improve to emphasize continuous service improvement and that action is required to correct inefficiencies. Figure 1-1 shows a representation of the ADDIOI Modelā€™s phases as a continuous improvement circle.
Figure 1-1. ADDIOI Modelā„¢. (By Tari Schreider, licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License)

1.1.3 The Six Phases of the ADDIOI Modelā„¢

The phases of the model include:
  1. Align - This phase is where you identify your organizationā€™s business goals and align them to the capabilities of the cybersecurity program. Always remember the business is your benefactor paying for all your cybersecurity gizmos, so alignment is crucial. You must show the value of your program by demonstrating how it reduces operational risk. A key outcome will be program design requirements. The align phase is an ongoing process and supports the improve phase.
  2. Design - This phase is what this chapter predominately addresses - designing the structure of your cybersecurity program. Here you create your program blueprint to show stakeholders the vision of the final product and validate alignment to the business in a concrete manner. For example, if one of your business goals is to maintain regulatory compliance, compliance capability should be reflected in your design.
  3. Develop - This phase is where you configure and test the cybersecurity countermeasures called out within the design requirements. Development may also include creating or modifying application code to support cybersecurity countermeasures. For example, integrating an access authentication or single sign-on solution will require application integration. Countermeasure testing provides the basis to create experience-based implementation plans and acceptance criteria to move countermeasures from test to production. Information technology (IT) infrastructure is locked down (hardened) in this phase, making it resilient to cyberattack. Develop and customize are the primary activities of this phase.
  4. Implement - This phase is the execution of implementation plans to ā€œgo liveā€ with your cybersecurity countermeasures developed in the previous phase. You should strive to create a culture of security with your training program, instilling the human firewall philosophy, your first line and many times your last line of defense. This is the phase where you will organize cybersecurity program staff around the programā€™s components. Onboarding security service providers occurs within this phase. Deployment and training are the primary activities of the implement phase.
  5. Operate - This phase is where the day-to-day management and operations of the cybersecurity countermeasures occur. Most commonly referred to as security operations (SecOps), security tools administration, threat monitoring, and the security service desk are located here as well. The service desk is an IT function that serves as a single point of contact for customers to resolve their computing or applications issues. Other parts of the cybersecurity program such as cyber threat intelligence may use security tools; however, SecOps generally handles their daily administration. Program sustainability is the primary focus of the operate phase.
  6. Improve - This phase is the process of continuous improvement. Most cybersecurity programs operate as a good practice, but moving to a best practice requires continuous improvement. I discuss the difference between good and best practices later in the chapter. Key performance metrics and regular assessments are used to baseline the program, and a maturity model is used to guide program improvem...

Table of contents

  1. Cover
  2. Title page
  3. Copyright
  4. Dedication
  5. Preface
  6. Introduction
  7. Foreword
  8. Chapter 1: Designing a Cybersecurity Program
  9. Chapter 2: Establishing a Foundation of Governance
  10. Chapter 3: Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability
  11. Chapter 4: Building a Cyber Risk Management Capability
  12. Chapter 5: Implementing a Defense-in-Depth Strategy
  13. Chapter 6: Applying Service Management to Cybersecurity Programs
  14. Appendix A: Useful Checklists and Information
  15. Credits
  16. About the Author
  17. More From Rothstein Publishing