BUILDING A SECURE FOUNDATION TO REDUCE CYBER RISK

Strategic approach to building a solid foundation There are several best practices companies should take, which will ease the selection and implementation of a security framework. The foundational controls in security frameworks help organizations build a base for reuse and flexibility that can streamline compliance with the other frameworks and regulations. Beyond this, however, it is necessary to secure the entire organization against pervasive threats that often escalate in parallel with cyber exposure. Here is where it is critical to automate the operation, assessment, and reporting of these controls to prevent threats. Unfortunately, on average, organizations automate only 45% of foundational cyber security controls. While some administrative controls such as training may not require automation, the technical controls monitoring IT environments should gather and process data continuously to effectively gauge conformance. These activities result in far too much data to handle manually, and few organizations have the human resources necessary to fully dedicate to this task. This issue will only get worse: The non-profit information security advocacy group ISACA predicts there will be a global shortage of 2 million cyber security professionals by 2019. To ensure basic foundational security, organizations should embrace a foundational security solution that addresses the breadth of the IT environment. Such a solution must integrate with a multitude of tools and technologies to enhance discovery, assessment, and analysis. Having a foundational security solution can help overcome the challenges associated with implementing the controls in part through automation. One of the primary challenges is that successful and sustainable adoptions are often a multiyear project— meaning people need a logical way to get started and most importantly, prioritize each step. This is why it’s important to have a solid strategy. www.tenable.com Start simple. There are significant benefits to embracing a methodical approach. No organization can apply all controls at once. Incremental implementation addresses the most important aspects first, and then builds. For instance, start with a subset of a business system such as a CRM application, where critical customer data often resides. A single starting point allows the security team to build an internal set of lessons learned that it can then apply to other business systems. This also establishes a foundation to apply subsequent controls. Although the goal is to have all these controls operating concurrently, the reality is that it takes time to fully implement them. Many companies use the prioritization found in CIS to put together an implementation plan. And for good reason. The 20 CIS controls are the result of industry practitioners working together to develop and maintain a best practicesbased approach to security. Adhering to the process with its sequential steps helps organizations build on success. Understand that ad-hoc tools alone do not yield success. Relying solely on the latest tools may provide a false sense of security, causing teams to inadvertently create gaps or security weaknesses. This is especially true when there is a lack of integration among technologies. For this reason, the initial focus should be selecting a framework that will serve as a road map, and then implementing its controls as a means to establish security fundamentals. Failing to embrace a framework hampers the organization’s ability to grasp the big security picture. Proven templates help organizations avoid glaring gaps, and security frameworks guide the implementation of controls. It is also worth noting that when using a framework, security teams have a vehicle to talk risk and budget with executive management. According to CreditSafe CISO Russ Kirby: “A framework facilitates an understanding of risk within the business, and those understandings allow you to identify the most critical projects that you must have.” Additionally, the foundational controls in security frameworks help organizations build a base for reuse and flexibility that can streamline compliance with the other frameworks and regulations. Building a Secure Foundation to Reduce Cyber Risk 3 “A great wealth of knowledge is created around a framework. Standardized tools that help with compliance and drive automation enable you to complete your programs more quickly. If you have a framework, your job is easier because when you create a map, you realize that 70 to 90% of the controls are common between various requirements.” — Kalpesh Doshi, CISO, Capgemini Seek expertise to assure successful implementation. Companies need more than just a technology vendor to build a secure foundation. The right solution partner should be able to offer best practices and procedures that help define and document repeatable processes. A strategic partner also provides experts with a deep understanding of security controls, cyber risks, and the modern attack surface who can provide mentorship and guidance—especially when IT staffs are stretched thin. Likewise, access to an ecosystem of technology partners allows for easy integration across the IT environment. In a world where cyber attacks are a growing problem, and IT complexity continues to intensify, no organization can afford to ignore the importance of embracing, deploying, and maintaining a security platform capable of evolving in step with the ever-changing threat landscape. Security frameworks represent a proven pathway to a secure environment. To learn more about how enterprises around the world are benefiting from security frameworks, read the eBook, “The Economic, Strategic and Operational Benefits of Security Framework Adoption.” Tenable™, Inc. is the Cyber Exposure company. More than 23,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include more than 50 percent of the Fortune 500, large government agencies and mid-sized organizations across the private and public sectors. For more information, visit: www.tenable.com STRATEGIC MARKETING SERVICES www.tenable.com Building a Secure Foundation to Reduce Cyber Risk 4
Please complete the form to gain access to this content