CISO Forum Summary – Establishing a Baseline in your Security Program
Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics. Recently, we discussed the best practices around establishing a baseline for your security program.
Frameworks for establishing a baseline in your program:
- Leaders should establish a baseline on a Risk Management Framework (RMF) like NIST Controls.
- NIST has 260 controls for their top level which is required by the DoD or other Federal Agencies.
- NIST has also established a Cybersecurity Framework for those industries who fall under Critical Infrastructure, those NIST guidelines only have 160 of the 260 controls.
- Therefore, if NIST is the RMF for Critical Infrastructure, then those 100 controls NOT implemented could be attack vectors.
- Another framework is FFIEC which is designed for the financial industry. While it’s not 100% cyber focused, it has many cyber controls built into it.
- There are several other more proprietary Frameworks such as HI-TRUST which is designed for the Health Care industry and based on NIST but also adds a layer of HIPAA controls on top of it.
Challenges with Establishing a Baseline
- NIST is more of a guideline instead of a black and white – do this or that. Therefore, it allows room for interpretation and could lead to disagreements on its application or implementation.
- Some try to box answers into Yes, No or Does not Apply which may not work as well in a large enterprise since one area or business unit may implement that control well while a different unit may not. Therefore, there may need to be more depth to answers.
- Self-assessments can be skewed and do not carry much weight.
- Managing all of the framework controls data (i.e. status, maturity, documentation, procedures, exceptions, etc.) is a major challenge. Most of the leaders were managing this in spreadsheets.
Assessing a Baseline on Employees:
- Since 80-90% of all attacks come through email, using a Phishing tool (i.e. KnowBe4 or PhishMe) to assess cyber awareness is highly effective. One CISO lowered his phishing rates from 22% down to 1% in one year.
- Employee Awareness if often just benchmarked on phishing success. However, with today’s remote workforce, it requires a much larger scope. Employees need to be trained on data security. Exfiltration thorough Dropbox, and other shadow IT, BYOD acceptable uses, personal email accessibility on corporate devices, home network and wifi settings, USB use, ability to print, connecting to public WIFI, etc.
- Employee cyber safety knowledge needs to be holistically assessed and measured to know where the training requirements need to be focused.
“Security is everyone’s responsibility, but not everyone knows their responsibility.”
- Development Staff – To raise the secure coding awareness of developers, one CISO creates competitions between development groups to find vulnerabilities in each other’s code then rewards the team with the most secure code. This teaches both teams what to look for and how to code more securely.
- Tech Staff – One CISO creates Capture the Flag events for all tech staff – Infrastructure, Privileged Access team, QA, Developers – anyone can participate. Teaches them how to break code, how to secure code and even identifies potential security team new hires.
Assessing a Baseline for Vendors:
- It is typically a painful experience to vet out vendors to validate their maturity.
- Need to know:
- Who filled out the form
- Who’s ultimately responsible for the program
- Their contact information to validate answers and listen for competency.
- A good competency measurement is whether they conduct regular Internal & external vulnerability tests.
Tools & Technology that Help:
- https://csf.tools/ is the NIST Cybersecurity Framework (CST) tool.
- Diligence (acquired Steel & Galvanize) – Integrated GRC SaaS solution
- Privva (acquired by Entreda) – Integrated GRC solution for regulated industries
- SecurityStudio – Maturity Assessment tool for NIST, HIPAA, CMMC, FFIEC. Also automates the assessing of security maturity for Employee and Vendors.
- Riskrecon – Vendor risk assessment tool.
Other Best Practices:
- Think about each control with the following levels of maturity:
- Assessments should be done by 3rd parties to create an objective lens.
- Partner with audit. Point them to the problem areas to create visibility which can then be used to gain support.
- Be consistent. Every 12 month to 24 months with the same vendor to track improvements and gaps.
- Track who owns the controls and who is responsible for them for being implemented fully. If someone leaves, the ownership needs to transferred.
Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to establish a baseline for your security program.
If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.
About Tim Howard
Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments.
In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward