Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/07/08/how-to-build-and-enable-a-cyber-target-operating-model/
Cybersecurity is complex and ever-changing. Organisations should be able to evaluate their capabilities and identify areas where improvement is needed.
In the webinar “Foundational Components to Enable a Cyber Target Operating Model,” – part two of our Cybersecurity Series – Jason Hart, Chief Technology Officer, EMEA, explained the journey to a targeted operating cybersecurity model. To build a cybersecurity program is to understand your business context. Hart explains how organisations can use this information to map out their cyber risk profile and identify areas for improvement.
Organisations require an integrated approach to manage all aspects of their cyber risk holistically and efficiently. They need to be able to manage their information security program as part of their overall risk management strategy to address both internal and external cyber threats effectively.
Identifying priority areas to begin the cyber target operating model journey
You should first determine what data is most important to protect, where it resides, and who has access to it. Once you’ve pinned down these areas, you can identify each responsible business function to create a list of priorities. We suggest mapping out:
- All the types of data within your organisation
- All locations where the data resides, including cloud, database, virtual machine, desktops, and servers
- All the people that have access to the data and its locations
- The business function associated with each area
Once you have identified the most recurring business functions, you can list your priority areas. Only 12% of our webinar audience said they were confident in understanding their organisation’s type of data.
Foundations to identify risk, protection, detection, response, and recovery
To start operationalising cybersecurity within a targeted area, we first set the maturity of each foundation. A strong foundation will help ensure all systems are protected from attacks and emerging threats. People play a critical role in providing protection and cyber resilience. They should be aware of potential risks so they can take appropriate actions to protect themselves and their business function.
1. Culture
A set of values shared by everyone in an organisation determines how people think and approach cybersecurity. Your culture should emphasise, reinforce, and drive behaviour to create a resilient workforce.
Every security awareness program should, at minimum, communicate security policy requirements to staff. Tracking employee policy acknowledgements will ensure your workforce is aware of the policy and helps you meet compliance requirements.
A quick response can reduce damages from an attack. Security awareness training should teach your workforce how to self-report incidents, malicious files, or phishing emails. This metric will prove you have safeguards in place. Tailor security awareness training to employees’ roles and functions to measure the effectiveness of each department.
2. Measurement
Measuring the ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats enables a robust operating model. The best approach requires an understanding of what your most significant risks are. Consider analysing the following:
- Phishing rate: A reduction in the phishing rate over time provides increased awareness of security threats and the effectiveness of awareness training. Leverage a phishing simulation to document the open rates per business function to track phishing risks.
- The number of security breaches: Track and record the number of new incidents and breaches every month. Measure a monthly percentage increase or decrease.
- Mean time to detect (MTTD): Calculate how long it takes your team to become aware of indicators of compromise and other security threats. To calculate MTTD, take the sum of the hours spent detecting, acknowledging, and resolving an alert, and divide it by the number of incidents.
- Patching cadence: Determine how long it takes to implement application security patches or mitigate high-risk CVE-listed vulnerabilities.
- Mean time to recovery (MTTR): Take the sum of downtime for a given period and divide it by the number of incidents. For example, if you had 20 minutes of downtime caused by two different events over two days, your MTTR is 20 divided by two, equalling 10 minutes.
3. Accountability
A security goal generates the requirement for actions of an entity to be traced uniquely to support non-repudiation, deterrence, fault isolation, intrusion detection, prevention, after-action recovery, and legal action.
The quality of your incident response plan will determine how much time passes between assigning tasks to different business functions. Calculate the mean time between business functions aware of a cyber attack and their response. Additionally, calculate the mean time to resolve a cyber attack once they have become aware by measuring how much time passes between assigning tasks to different business functions.
Also, consider recording how internal stakeholders perform with awareness or other security program efforts to track the effectiveness of training.
4. Process
Processes are critical to implementing an effective strategy and help maintain and support operationalising cybersecurity.
To determine your increase in the number of risks, link the percent differences in the number of risks identified across the business monthly. Identify accepted risks by stakeholders and vendors monthly, and hold regular information security forums between business functions to review levels of progress. It’s also wise to document meeting notes and actions for compliance and internal reference.
5. Resources
Ownership of cybersecurity across the business creates knowledge to manage, maintain and operate cybersecurity.
When determining the effectiveness of resources, analyse what levels of training you give different levels of stakeholders. For example, administration training will differ from targeted executives.
Calculate the engagement levels of input and feedback from previous awareness training and record positive and negative feedback from all stakeholders. Ensure that different parts of the business have the required skill level and knowledge within the business function’s scope. Use a skills matrix aligned to security domains to uncover stakeholders’ hidden knowledge or skill gaps.
6. Automation
The automation of security tasks includes administrative duties, incident detection, response, and identification risk.
Consider implementing automation in vulnerability management processes internally and externally to the business. Additionally, detect intrusion attempts and malicious actions that try to breach your networks. And finally, automate patch management actions on all assets within scope by assessing the number of patches deployed per month based on the environment, i.e. cloud.
A journey that delivers outcomes
A cyber-targeted operating model is a unique approach that provides defensibility, detectability, and accountability. The model is based on the idea that you can’t protect what you don’t know and aims to provide a holistic view of your organisation’s security posture. By identifying the most critical business functions and defining a process for each foundation, you can develop your cyber maturity over time.
To get the maximum benefit from Cybersecurity Series: Hackers ‘re Gonna Hack, watch Part One: Operationalising Cybersecurity to benchmark your existing maturity against the six foundational components. Watch Part 2: Foundational Components to Enable a Cyber Target Operating Model on-demand, or pre-register for Part Three: Cybersecurity KPIs to Track and Share with Your Board to begin mapping against your priority areas. Attendees will receive a complete list of Cybersecurity KPIs that align with the maturity level of your organisation.
Additional reading: