Security Roadmap, Strategies and Challenges
My Learnings - Part-1

It’s hard to develop a cybersecurity roadmap since several elements need to be considered, such as compliance and risk posture, policy framework, detection and response capabilities, resilience and recovery after a breach.

Hi Everyone 👋 , in this part-series I’m gonna to be sharing about developing a security roadmap, that usually comes after asking some relevant questions. Also, I’ll talk about what good security looks like, because it’s hard to make a good roadmap if you don’t really know what you’re aiming for. I’ll talk about where to start and how to get there.

Let’s discuss what executives typically ask…

Are we Compliant?

You can be compliant, but that doesn’t mean you’re secure, but you can get there and there’s a lot in compliance requirements and standards etc. that’ll help you out. In the end, it won’t make a lot of difference unless you live and breathe it.

Are we Secure?

In the same token, you can be compliant and still be secure, and we see that quite a bit of the time, when people have very good security practices and operations in their organization, but they’re bad at documenting stuff, so from a compliance standpoint, they won’t be compliant but still secure.

How much progress did we make in making us more secure?

How did we do compared to last year? That’s a tough one since the landscape in which we worked last year was different. As you know, the attacks that we saw last year might have been a few, but now we may see attacks that are vastly different from what we saw in the past. Information Security is a dynamic discipline, which means that everything changes and everything stays the same, so all the processes, procedures, and things we do from an operational perspective don’t really change that much over time. However, attacks, how we respond to them, do change every day, so it’s a bit of both.

In the last 12 months if you didn’t change your security effort, you were doing a great job dealing with the types of attacks you were seeing, but if you’re still doing the same thing, then there’s a fair chance that the attacks have outpaced you.

What would we do in case of a breach?

This is a great question because they’re trying to figure out if you’re prepared for an attack since their awareness has been raised. Whenever there’s an incident, we see people like you asking this question.

When executives ask all these questions above, there’s actually a subtext to the questions that they’re actually asking.

When they ask for “Are we compliant?” they’re really asking…

On the similar footsteps “Are you secure?”

That’s the question really being asked!!

“How much progress did we make in making us more secure?”

“What would we do in case of a breach?”

In essence, that’s what the executive is asking when he’s asking any one of these four questions, but if you ask them on their own they can be difficult to understand, but if you combine them, they give you a clearer picture of where the organization fits into the security structure.

What does good security look like?

Good security needs to be proactive

In a lot of companies, security teams are purely reactive, they react to new features and projects request for assessment. We’ve all probably run into the situation where someone comes up to your desk just before the weekend and says “hey, this project needs to go live in a few hours, can you please approve it? 😰”. Our security team needs to change from a reactive to a proactive one.

Security should not be Obstructive.

Often, in-your-face security generates obstacles to the business, so our role as security team is to ensure that the business is able to do what it needs to do in a secure manner. Nobody has ever thanked a security team for saying “No” constantly. Obviously there are times when saying No is the right thing to do because there are plenty of things from a security perspective that are bad ideas, but ideally you’ll have a security team that can actually contribute to the success of the organization.

Security Coverage is one of the main pillars.

The right coverage needs to happen,with tools and solutions that are in place, we let it run and then in many organizations it is just there for the rest of the year. We come across systems that after it’s been implemented it’s never been touched, well it does what it’s supposed to do but they do need kind of a little bit of love.

Implement technology/controls correctly

If your organization is at the point where you have firewalls and anti-viruses - for instance, if you have firewalls, then your next purchase won’t be one that grabs everything and analyzes it all - there is probably a technology use between the two that you will want to consider.

Minimize the Risk

There is a need for us to understand what the risks are. We need to understand what we will be able to do about these risks in order to minimize them as much as possible.

Cost Effectiveness

Security solutions must be cost-effective. If it is going to cost 2-3 times as much as the annual revenue of the company, it is probably not going to be of much use to the company.

Responding to current threats

Having an understanding of what’s going on in the world right now will give your security team a competitive edge towards proactiveness.

Repeatable process

You must be able to repeat whatever you do. If you discover an XSS, you may be able to find the same issue anywhere with the help of tools and scripts sooner, so you can focus on more interesting things rather than sweating over finding the same issue on different instances a week later.

Detailed documentation

Documentation is important and we all kind of stink at it a little bit. but it’s okay to start small and then build slowly.

What does it take to get good security?

In an organization, four main functions must take place:

Skills and services for all of these requirements are not necessarily confined to your organization, and it’s fine to get someone else to assist you. You don’t necessarily have to run a security business but some of these functions must be performed and they must be handled by someone, which you can outsource easily.

Where are we in terms of security maturity?

There’s different ways of doing it and it’s obviously a very high level and to be honest the more immature you are the easier this process..

The next post - “part ii” of this series will discuss ways to improve security and the roadmap.

🙏

References:


Written by avicoder on 06 August 2022
@avicoder