Developing a Cybersecurity Roadmap: How to Plan for Success

Jul 30, 2024

Take quiz

Review flashcards

Developing a Cybersecurity Roadmap: How to Plan for Success

Introduction

  • Moderator: Shannon Lane
  • Topic: Developing a cybersecurity roadmap
  • Key elements: Compliance and risk posture, policy framework, detect/respond to vulnerabilities, resiliency and recovery

Speaker: Mark Hoffman

  • Role: Chief Technology Officer at Shearwater Solutions
  • Experience: 25+ years in ICT security (private industry and government)
  • Credentials: SANS Institute instructor, numerous certifications, publications, international lecturer

Key Topics Covered

Typical Executive Questions

  1. Are we compliant?
  2. Are we secure?
  3. Are we more secure compared to last year?
  4. What are we doing in case of a breach or an attack?

Understanding Compliance vs. Security

  • Compliance: Can be compliant but not necessarily secure
  • Security: May have good practices but poor documentation (not compliant)
  • Consistency: Security and operational procedures remain but attack vectors change constantly

Challenges in Measuring Security

  • The landscape and threats evolve, making yearly comparisons difficult
  • Importance of understanding the intent behind executive questions

Subtext of Executive Questions

  • Compliance: Meeting/exceeding standards, continuous adherence
  • Security: Understanding risks, protecting key assets
  • Yearly Security Progress: Adapting to new threats and improvements made
  • Incident Handling: Past incidents, responses, lessons learned, and changes made

Characteristics of Good Security

  1. Proactive: Moving from reactive to proactive security measures
  2. Unobtrusive: Security that enables business without becoming an obstacle
  3. Right Coverage: Properly configured tools and technologies
  4. Risk Management: Understanding and minimizing risks in a cost-effective manner
  5. Visibility and Response Capability: Monitoring and responding to threats in real-time
  6. Repeatability and Documentation: Solving problems once, maintaining procedures, and documenting everything

Functions of Security

  1. Risk and Compliance: Identifying assets and assessing risks
  2. Security Architecture and Design: Engaging with the business, defining security services
  3. Security Administration: Managing user access and regular reviews
  4. Security Operations: Detecting, responding to, and analyzing threats

Maturity Levels in Cybersecurity

  • Non-existent: Basic or no security controls (firewall, AV)
  • Immature: Some policies, basic security controls, no clear plan
  • Doing Our Best: Defined processes, partial risk assessments, visibility
  • Getting There: Well-defined security policies, proactive security operations
  • Mature: Documented and reviewed procedures, metrics in place
  • Very Mature: Advanced tools, optimized processes, strong metrics

Risk Assessment Process

  1. Identify Critical Information Assets: Understand and document what needs protection
  2. Understand Threats: Analyze historical incidents, industry trends, and potential risks
  3. Assess Risks: Likelihood and impact scoring (ISO 31000)
  4. Creating a Treatment Plan: Prioritize and address high-risk areas
  5. Building a Roadmap: Setting achievable goals, starting with the basics, addressing high-risk areas first

Metrics and Reporting

  • Identify metrics that resonate with executives
  • Regularly measure and report on security and compliance to stakeholders

Final Thoughts and Poll Results

  • Executives' Awareness: Increased awareness over the past 12 months
  • Information Security Plans: Majority are currently developing or planning to develop in the next 12 months
  • Regular Reporting: Many organizations still need to establish regular reporting mechanisms

Conclusion

  • Building a cybersecurity roadmap requires understanding the current state, setting clear goals, and continuously evolving to meet new threats and compliance standards.