The key to successful security programs? Look to your business

Cybersecurity Awareness Month has come and gone. Hopefully you’ve used this opportunity to  focus on end user awareness, roll out new capabilities, and interface with the business. Now how do you continue that momentum throughout the year?

The key is to deepen your engagement with the entire enterprise.

IT is no longer just an enabler; it is a driver. That means a siloed, sidelined IT organization is an antiquated notion. Business today calls for IT to lead and guide others. As technology shapes each area of the business, it becomes increasingly more challenging for leaders to navigate. Here, IT can play the role of forest rangers who guide the business through the metaphorical woods.

Cybersecurity plays a large role in that. From stricter compliance requirements to more intelligent threats, no part of the business is immune to any security risk. And above all, the costs of a breach are too high.

As your attention shifts away from awareness campaigns, work alongside your business leaders to keep cybersecurity top of their mind and run your security programs successfully.

Risk analysis, governance, and self assessment testing work together as a feedback loop for cybersecurity. Each are programs you should be running year-round. But how is the business involved in the security programs?

Leaning on your leaders to answer the burning questions

In the areas of risk analysis and governance, an understanding of the business operations and their objectives is mandatory. (Remember, IT cannot operate in a silo.) Conducting security risk analysis is a challenge if you’re not versed in the business. Frankly, how can you spot the vulnerabilities if you don’t know where to look?

Start with your business leaders, who can speak to their operations best. Where you understand the information systems and assets, the business knows the impact and effects of any risk to their operations. These are questions they should answer for you. Do not attempt to answer them on your own.

• What are the most critical parts of your business?
• What are the consequences of any downtime or outages?
• What technologies do your business absolutely rely on?

Governance for cybersecurity takes many forms: policies, procedures, standards, compliance, culture. As subject matter experts, your knowledge in best practices, tools, and controls is most valuable here. But again, policies and standards cannot be created on your knowledge alone.

Rethinking governance through conversations with the business

Unlike risk analysis, governance actively shapes how a business operates and influences how employees feel about their employer. For example, the concept of least privilege means end users only have access and rights to the resources they absolutely need to perform their job.

A business can implement a policy to block access to all shopping, sports, gambling, and social media websites for users who do not need them for their job. From the cybersecurity perspective, hackers target popular websites and use them to host and deliver malware. Naturally, blocking domains is the solution but a business may receive backlash from users that see this as unnecessarily restrictive.

As a security professional, you can facilitate a discussion about acceptable use with leaders to determine if a decision like this is appropriate for your business. It cannot be a decision made independently. Guiding the business through the possible implications or identifying alternative controls are insights only you can provide. Cybersecurity professionals are the subject matter experts and need to be business partners for governance.

These are some preliminary questions you can pose to the business. They will help the leaders think about security differently and help you understand the type of organization you have.

• What is acceptable use of technology?
• What is the appetite for risk?
• What is the cybersecurity culture do you want to create?

Bridging the gaps identified through self assessments

Self assessment testing is another area where working with the business is valuable. Testing should be based on governance and information gathered from the risk analysis. The results should show where you are, compared to where you want to be. Bridging that gap is the joint endeavor.

Awareness and education programs are part of closing some gaps identified through self assessments. At the same time, these tactics have become tired over time. Remember to partner with the business here to understand how to engage with their units more effectively. Instead of a presentation or email communication, consider some of these options:

• User-created testing: Challenge non-IT folks to create phishing emails (with the help of IT). Prizes go to the most effective campaign and employees that report it.
• Find opportunities to gamify: Testing your security controls, identifying vulnerabilities, or assessing knowledge can all be made into games.
• Report on progress: Have your awareness campaigns been a hit? Then share it with everyone and celebrate that success.

How DNS helps you

For cybersecurity operations of any maturity, being able to monitor your network is necessary. DNS is one of the most effective ways to monitor network traffic. Through DNS logging, security operators have visibility into all successful and failed queries. This data captures the intent of each device on the network in a way others cannot.

Implementing controls through DNS is another effective way security operators can leverage DNS. A device must ping a server, indicating which domain it wants to go, whenever it wants to carry out an action. That first hop onto the network is a strategic point where network traffic can be controlled, like applying policies.

To learn how you can leverage DNS in your cybersecurity operations, check out our eBook “DNS in the Cybersecurity Stack.”