A lot of organizations start with a product or service and focus their efforts on developing it. At the beginning security might not be a major consideration. Or an established organization may want to improve their security posture due to the prevailing security situation, regulator/customer pressure or industry requirements.
Regardless of what your situation is, unless you start somewhere you will not have a security program. I shall discuss a few things to do when you are trying to get a security program going quickly.
- Identify your assets and issues: Know what assets you are trying to protect and where these assets are. You should do a risk assessment and get a list of issues that you need to address. This can be done either by internal staff or by using an external 3rd party. Get a penetration test and vulnerability assessment done. Also get a maturity assessment of your security program and the gaps. USe a framework such as the NIST Cyber Security Framework or the Center for Internet Security – Critical Securtiy Controls to map the controls and the gaps you have against these.
- Prioritize your list of issues/gaps:Rank the issues that you have identified according to priority. You would typically have the highest risk issues on top and go down the severity rating. You will have to take into account different factors while assigning priority such as the risk appetite, your exposure and business impact. Be wary of toxic combinations, where combinations of issues may result in a risk that might be more than the sum of the individual ones.
- Take some immediate action: You will most probably have some findings from your pentest or gap analysis that require immediate action. Maybe there is a gaping hole in your network that is vulnerable to exploit or maybe you are not securing your customers’ PII. Take care of the things that can have an immediate detrimental effect on your organization. You may have to light a fire with the stakeholders and impress upon them the urgency to act.
- Plan your medium and long term goals: Even as you are working on your immediate actions, you need to start thinking about your long term goals. This is where a framework can help by tracking the different areas that need remediation and also how mature each area is. You will need to break down the long term goals into smaller chunks of work and then put them on a roadmap.
- This will help you in identifying resource and funding requirements
- The roadmap will be critical in convincing senior management/board to approve resources and funds
- It will also give you tangible goals to track your progress against
- The most important is that everyone within the organization gets an opportunity to align and work towards a plan
It is important to note that fixing one or even a few vulnerabilites is not the goal here. Your desired end state is a mature process that is self-sustaining. Individual tasks may very over time, but what you need is a program where you constantly evaluate the cyber securtiy scenario, your assets, threats to your assets and keep adjusting your plans to stay on top of them.