Raise the level of your cyber team with sound fundamentals

Michael Jordan is not usually cited as an authority on Information Security, but few will question his standing as a leading authority on team sports. As a player, Jordan was famous for spectacular dunks where he seemed to float across the key, and a fade away jumper that always seemed to find the basket. There is no doubt however that it was his consistency with the fundamentals, and teamwork that put him in a position to make the spectacular plays we remember. There is also little doubt that Information Security is a team sport.

In basketball, the fundamentals are grouped by offensive, defensive and ball handling skills. Whether shooting a layup or foul shot, boxing out or blocking a shot, dribbling and passing are the skills of a winning team. In cyber security sound execution of the fundamental skills surrounding Policies & Procedures, People and Products are the keys to a winning team.

Policy and procedures

Technical people frequently mistrust and underestimate policy & procedure as effective controls, but without them even the most skilled technical team is blindly flying by the seat of their pants. These documents are the foundation for any program. They set priorities and expectations as well as foster consistent, repeatable results. To be effective, policies and procedures need the participation and support of the entire team from the top levels of management down.

Key policies for any organization should include:

·       Security and Risk Management to define the rules.

·       Acceptable Use Policies and Rules of Behavior to communication proper code of conduct

·       communications policies and procedures ensure that all team members understand how authentic information is distributed throughout the organization.

·       Robust change and configuration management policies ensure that changes and additions to a system are validated and introduced in a controlled manner as well as documented in a way that they can be repeated at a later date.

One need look no further than your favorite new outlet to see the importance of comprehensive patch management and hardening procedures. From WannaCry to this week’s congressional hearings on the Equifax Breach, ineffective systems patching has been a consistent theme.

The need for comprehensive Incident response plans detailing who needs to do what are critical in any response. Even more important, knowing your legal and regulatory obligations in an incident or data breech as well as who need to be notified are essential.

When building a program this is definitely an area where better is the worst enemy of good! These plans need to be living documents that adapt and grow as your organization’s needs evolve. Don’t wait for perfection. Use templates to ensure key information such as; definition of terms, roles and responsibilities, and a framework to de-conflict competing priorities are included by all authors.

People

The next family of controls focus on people, both internal and external to your organization. There is little doubt that one of the most important concerns in this control family is “Be careful who you trust”. This concern extends to your partners and service providers as well. Additionally, it does your organization no good to do exhaustive reference and background checks on employees, if they allow unvetted service providers access to their systems or data carte blanche. It is equally important to take steps such as multi factor authentication to ensure people who are who they claim to be.

Every organization has that one user who will click on anything. Training at all levels is one of the most effective preventative control in your arsenal. Whether training your technical staff, or instructing your user base in basic cyber awareness, training has the capability to stop an incident before it occurs.

Another important facet of training is exercises. Whether performing system recovery exercise with your technical staff, or conducting a phishing exercise you’re your users, don’t wait for an actual incident for your staff to see if your incident response or system recovery procedures work. Over the years my organization has conducted everything from table top exercises to live recovery drills. We have improved our knowledge, systems and processes  with every single one of them!

Products

Thanks to the marketing budgets of product manufacturers, the last control family is often the first many consider. The show floors of every conference, targeted advertising accompanying every web session and the advertising in every published magazine push products that offering “industry leading” solutions “guaranteed” to protect our enterprises from the myriad of threats and vulnerabilities plaguing our organizations. The truth is, there are no silver bullets that will send our cyber nightmares to the netherworld.

I am not advocating for a product free existence, but to be effective, the products in our security arsenal should support policies, procedures and provide efficiency and risk mitigation for the ever-increasing scope of our cyber programs. In his keynote speech at this year’s RSA Conference in San Francisco, RSA’s Chief Technology Officer, Zulfikar Ramzan advocated that organizations consolidate and minimize the number of vendors and products used to secure their environments. This is a remarkable statement from the CTO for one of the leading providers of Cyber Security products, but the truth is that each product in your portfolio requires resources to administer and monitor them. As we add more and more products in the name of security, our limited resources are stretched thinner and thinner, the limited amount of attention available for the task at hand can easily overcome our ability to execute the fundamentals. As a result, our overall programs become ineffective. The Agile ethos of “minimizing work in progress” is really about allowing people to focus on the tasks that deliver value to the organization.

It’s all about the team

One defining trait of championship teams and winning players, is they never stop practicing and looking to get better at the simple things, the fundamentals. As your organization develops, make certain that they don’t overlook them either. In this post, I presented these skill sets in a specific order for a reason, each build on what came before. The people learn and implement the policies and procedures, products provide the needed efficiency to get the tasks done. The lessons learned by the people through exercises and experience with the products need to be brought back to the policies and procedures to update and improve them

To paraphrase another luminary on the subject of winning teams, the key to winning is fundamentals, And the occasional three run homer never hurts!

"The key to winning baseball games is pitching, fundamentals, and three run homers”

Earl Weaver