How to build a successful cyber defense program
Putting your business at risk while drowning in threats and vulnerabilities?
Recently I was presenting in a webinar with the same topic as the title of this blog. Preparing for this webinar I was diving into the news to find recent stories of good cyber defense programs and not so well performing cyber defense programs. Perhaps like many of you, I still get surprised every time a new security incident gets published and realize what the impact on the business was. It is quite clear that in those cases, their cyber defense programs are not effective enough.
How could this happen? Why was the organization not aware of the respective risks, threats and vulnerabilities to their business? Or did they not have enough of the required resources to implement the mitigating measures or set the right priorities? To stay ahead of security incidents you need all relevant information in one single place at your fingertips, within the context of your business, to be able to decide which security risk to tackle first!
How to deal with the overflow of information
At Nasdaq we have seen how many CISOs struggle with the overflow of information coming from various sources such as asset discovery tools, vulnerability-, intrusion-, log file-, and configuration scanners. Lets use a simple example using two business units. Finance and Purchasing have each classified an asset at a medium risk level. Both systems need to be patched, which will cost at least one day. Which system is going to be patched first? Additional information is needed. For example, it could be that the asset at the Finance department is used in an internet facing business process and the asset from the Purchasing department is used for internal processes only. So the priority is clear. This is just one small example, but what if there are thousands of vulnerability scan results?
Information in the context of the business impact
At BWise, when we were designing our new Information Security software , we came to the conclusion that we need to convert this flow of data into usable information and put it in the context of the business impact that disruptions may have on certain IT systems, networks and applications. This allows a real-time view of the risk profile and determines priorities based on a blueprint of your organization, business objectives, processes, standards and regulatory requirements.
Simplicity is key
Another important part of the new BWise Information Security solution is the possibility to automatically select the requirements for the various assets of different types based on policy profiles and asset classifications. Assets need to be classified by determining their impact on the business combined with the threat and vulnerability data. The CISOs and asset owners can easily work together to test the implementation of the policies and risk identification, followed by monitoring risk mitigation or risk acceptance workflows: the dashboards and reports with these insights are available at your fingertips.
Worried about having to configure all these connections, standards, screens, workflows and reports? Worry no more! The BWise® InfoSec Solution comes out-of-the-box with connectors for scanners such as Nessus, Nextpose, Nexthink, Qualys, content including ISO27000, COBIT 5, NIST CSF, NESA, and pre-configured questionnaires and reports.
At the end of the day firefighting is not a sustainable approach, but fire prevention requires a close relationship between the data from the business and the data from IT systems. Understanding the business requirements, including regulatory requirements, is key for a successful cyber defense program.
Want to learn more? Watch our video How to build a Cyber Defense Program.