What steps are required to implement an effective cybersecurity program? Members focused on that question and other security-related issues during a recent WebForum.
We started by clarifying the differences between the types of security that IT typically handles and discussed the difficulties of implementing a truly effective cybersecurity approach:
o Information Security (InfoSec) involves ensuring that data in any form is kept secure.
o Cybersecurity is a subset of InfoSec and it involves the protection of data found in digital form.
o Network security is a subset of cybersecurity. It involves the protection of data sent via network devices to ensure it is not changed or intercepted.
Mary W.: “Cyberspace and the physical world are totally different. Laws, policy and practices are not fully developed.”
There was a robust discussion on the key aspects of an effective cybersecurity program:
• Implement network segmentation and apply firewalls
• Use secure remote access methods
• Establish role-based access controls.
• Verify user identities with strong passwords and MFA
• Implement necessary patches and updates
• Implement A/V, IDS and IPS
• Develop/enforce mobile device policies
• Develop an Incident Response Plan
• Implement user training and involve executives in security planning
Miro Z.: “One of the first things that you should do is make sure you know where your data is so you can apply the appropriate controls listed in the slide appropriately.”
Jason N.: “I would add having a log correlation solution or SIEM tool.” (Security Incident Event Management)
Mary W.: “An incident response plan could be a more in depth and go as far as a Cyber Attack Response Plan.” (CARP)
User training was discussed at length with several tools recommended.
Matt R.: “We just started using KnowBe4 for security awareness training and phishing tests.”
Brian W.: “We have used ‘Securing the Human’ and KnowBe4. We also work with HR so that there are ramifications for repeated failures on our phishing tests.”
PJ.: “KnowBe4 is very good and I prefer it over SANS ‘Securing the Human’.”
Brian W.: “IT drafted a letter that our owner sent out that everyone is responsible to secure our future.”
Another hot topic involved the percent of budget devoted to security and staff levels.
Rob W.: “I expect it to increase. We are proposing just about everything that you recommended at the start of this topic.”
Member Advisor Dave from Ohio said his organization is working with a security consulting firm rather than hiring a Chief Information Security Officer (CISO). They are using a company called SecureState which he says keeps him abreast of the latest threats and is much less costly than a full-time CISO.
Vince R.: “In General, if you buy applications (SEIM, IDS, etc) without staffing them adequately, you are throwing money down the drain. Security Services are a very good use of funds as you tend to get greater bang for the buck as you've just heard from Dave. If you hire just a CISO, you still have to hire the action - staff that actually carries out the guidance from the CISO.”
Joe M.: “We have a similar service with Integrity in the Des
Moines, IA area.”