5 Pillars of a Cyber Security Strategy & Plan: a CISO’s Guide

Ted Milewicz
January 5, 2022
browser isolation

Why is a Cyber Security Strategy Plan Important?

A cyber security strategy offers a clear, detailed plan that standardizes security across the organization. It helps CISOs shift from reactive to proactive security, ensuring that they are ready and prepared to respond to various relevant threats.

A recent Ponemon Institute survey discovered that many organizations have yet to establish a proactive cyber security strategy:

  • 69% of respondents still implement a reactive and incident-driven security approach.
  • 56% of respondents admitted that their security does not cover all gaps, allowing threat actors to get past network defenses.
  • 40% of respondents do not monitor the security posture of the organization.

A cyber security strategy plan can help CISOs reduce the number of security gaps, extend their visibility into security threats, and help meet compliance requirements. The plan should help all stakeholders understand their cyber security roles and responsibilities, ensuring everyone contributes their part to improving the organization’s security posture.

1. Leverage Security Benchmarks and Compliance Standards

CISOs should not start from scratch when establishing their organization’s cyber security strategy. To get started, the CIO and CISO Councils created a CISO Handbook that lays out the best standards and approach towards cyber regulations. The CISO handbook covers one of the most important frameworks for CISOs – NIST (National Institute of Standards and Technology) from the US Department of Commerce.

The NIST framework covers a roadmap for CISOs to get started with cyber security development and collaboration. Following the NIST framework will keep organizations aligned with PCI-DSS, HIPAA, and FISMA (to name a few of the most prominent). These regulatory guidelines control the way businesses protect data especially within a specific industry, but the NIST framework covers general guidelines that will protect the business as a whole.

Some other frameworks that a CISO should be familiar with include:

  • ISO/IEC 27000 family – an international framework for managing security systems.
  • SOC 2 – security standards that oversee data stored in the cloud.
  • CIS v7 – general guidelines and standards for development of baseline security standards.
  • COBIT – a framework for production performance that works well with cybersecurity.
  • FedRAMP – standards specifically for government agencies.

2. Assess Cyber Security Maturity

CISOs must assess the maturity of their organization’s security posture. It is highly recommended to do this using a framework like the NIST Network Security Framework.

A standard framework can help CISOs assess their organization’s maturity in dozens of different categories, from strategy and governance to specific security technologies and incident response processes. The assessment should not be limited to traditional IT systems – it should also cover operational technology (OT), Internet of Things (IoT), and cyber-physical systems.

After performing the assessment, CISOs should determine where the organization should improve over the next three to five years. For example, if injection attacks are the main threat, then secure coding practices and application-layer security must be especially mature. If ransomware is a top concern, it’s important to ensure backup and recovery capabilities are mature.

3. Understand the Threat Landscape

Another important element of a security strategy is gaining a broad understanding of the threat landscape. To do this, a CISO must first understand the operating environment of the company. Who are the customers? What is the product? Who benefits from disrupting the business? The answers to these questions will help understand the threat landscape and adapt to the broader business environment.

It is a great idea to evaluate competitors – what threats do they face? Have they experienced security breaches? The threats competitors face are almost always the same threats that affect your own organization.

Another important aspect of threat analysis is to understand the attackers. Are they individual hackers, organized crime groups, or state-sponsored attackers? What kind of resources do they have? What motivates them? Knowing this will give CISOs an advantage in protecting the business from these threats.

4. Plan Employee Onboarding and Education

In last year’s Verizon Data Breach Investigations Report, a survey found that the second most common type of attack resulting in data disclosure was phishing. In this same report, 33% of attacks were from social engineering and 28% involved malware.

These numbers are alarmingly high especially when more and more organizations store several data points on customers including financials, contact information and passwords. High-privileged accounts are an attacker’s main target as these accounts can be leveraged for massive exfiltration of valuable data.

Employee onboarding
To avoid unnecessary privileges and thwart potential phishing attacks, a CISO’s cyber security strategy plan should include an onboarding checklist that ensures tightened protocols for a new hire’s network access. The following isn’t an exhaustive list, but this checklist has several questions that could be useful when determining an onboard permission process:

  • What department will the employee be working for?
  • What network resources does the employee need to access to perform their job functions?
  • Who is the employee’s direct manager?
  • Are extended privileges needed and for what job function?
  • Is physical access to any resource necessary?
  • If the hire is a transfer, what resources from the old position are no longer needed?

The last question involves onboarding an already existing employee transferring to a new position. Privilege accumulation is another real issue for organizations. If your cyber security strategy does not include revoking privileges when an employee transfers, the accumulated permissions can be used by attackers to make lateral moves across the network. Some CISOs perform regular reviews of user permissions to identify any unnecessary privileges that must be revoked to ensure this issue doesn’t happen.

Moving on from password change policies
Another challenge for CISOs is how frequent users should change their passwords. Mandatory password changes are widely considered a dying concept. Keyloggers can be used to capture password changes and identify user behavior patterns to figure out passwords even after they’ve been changed. Password expiration rules will also need to be determined during onboarding strategy planning.

Employee education
It’s not always easy changing cyber security protocols within an existing organization. One goal that should be communicated to the organization is that short-term convenience will be replaced with long-term cyber security protection that reduces risk of a massive data breach.

In addition to cyber security strategies, the CISO can launch training programs to empower users so that they can identify phishing and social engineering warning signs. User train has shown to reduce click-through rates from phishing email links from 25% in 2012 to 3% in 2018, so it can be a critical component of a strong onboarding strategy.

5. Develop Security Policies

A CISO must establish an information security policy, as a core component of the overall security strategy. A security policy is a set of written practices and procedures that all employees must follow to ensure the confidentiality, integrity, and availability of data and resources (the so-called CIA triad).

Security policies describe what the business expects and how to achieve those expectations and the consequences of policy violations. It is common and advisable to break down a security policy into multiple smaller policies. This can make policies easier to manage and easier for users to understand.

Here are a few examples of security policies:

  • Workstation policy – how employees should secure their work-provided workstations. For example, using antivirus software, locking down the workstation when not in use, using strong passwords, and applying security updates.
  • Clean desk policy – how employees should treat their personal work area. This can also apply to remote employees. Employees must not place sensitive documents, or notes with passwords or confidential information, in plain sight.
  • Acceptable use policy – employees should be aware of the organization’s requirements in terms of allowed Internet browsing, appropriate use of email and social networks, and electronic transfer of sensitive information.
  • Remote access policy – how employees are allowed to remotely access corporate resources (via VPN, SLVPN, or other technology), who is allowed to access corporate systems remotely, the devices they are allowed to use, and which systems or data can be accessed remotely.

To find out more about how CISOs can better secure access to sensitive data and systems, you can request a Hysolate demo here, or try out Hysolate Free for Sensitive Access for yourself.

Written in May 2020, updated for accuracy in January 2022.

Ted Milewicz

Ted is a Sr SE at Hysolate and brings over 25+ years of experience in Enterprise Solutions & Professional Services. Before joining Hysolate, Ted spent 6 years Building and Leading the Professional Services organization at Bromium managing Top Fortune 500 deployments. Prior to Bromium, Ted spent 12 years in Professional Services Managing & Leading Global technology projects World-Wide in Life Sciences. Ted began his career in Technology as a developer at Sapient creating B2B and B2C sites (such as ETRADE.com & 100Flowers.com, other popular e-commerce sites). Ted graduated with a BS Degree in Computer Science from Rutgers University.