7 Red Flags to Look for in Your MSSP Relationship

7 Red Flags to Look for in Your MSSP Relationship

The managed security service provider market is crowded with 5,000+ companies worldwide offering some degree of MSS. That’s good news and bad news for customers. Competition should drive quality of service up across the board. But it also presents a paradox of choice, and many customers find themselves with buyer’s remorse.

A good MSSP, however, is invaluable. The variety and volume of security technologies available create a web that becomes too complex and costly for the enterprise to manage and maintain itself. Complexity, after all, is the enemy of security.

What Is an MSSP, and What Is It Not?

Before we begin, it’s important to understand what you should expect from your MSSP.

At its most basic, a managed security services provider is an outsourced partner who monitors and manages security technology on behalf of the enterprise to aid in incident detection and response. MSS, however, can be much more than that. The right provider will understand the bigger security picture for the enterprise and be able to contextualize the threat, reduce time to detect the breach, and, ultimately, lessen its impact.

Most traditional MSSPs aren’t set up to achieve those outcomes, however. Instead, they’re comprised of bolted-on services primarily driven by sales opportunities. A customer purchases a large amount of technology and asks if they might also be able to manage that technology. Then another technology is purchased, and more services are created and sold.

The problem with this approach is it simply shifts the complexity to a different team. That team may have more technical knowledge, but the services are still siloed and independent from the total security strategy and ecosystem.

Understanding the differences in approaches is critical to the long-term success of your MSSP relationship. So how do you tell a good MSSP from a bad one? Here are seven red flags to look for.

Listen to our Fire Your MSSP Webcast here to learn more.

7 Signs It’s Time to Move on from Your MSSP

#1 Their portal has an ugly interface.

Forgive us for being vain, but the usability of the MSSP portal absolutely matters. The portal should be beautiful, easy-to-use, and, most importantly, provide value and context from the very first screen. Many portals today are outdated and not user friendly. If your MSSP has a portal, and you never log into it, that’s a problem.

#2 They are just an alert factory.

Is your MSSP simply “alerting” you to alerts? You deserve more! Your MSSP should be able to provide insight and context as to why that alert is or is not relevant to you. If the alerts you receive are generic and templatized, you’re essentially paying your MSSP to manage escalations.

#3 They can’t give you a unified view of incidents across environments.

In this day and age, providing management and visibility across environments—IT, OT, Cloud, etc.—is table stakes. If your MSSP can’t give you a unified view of incidents across environments, or if they can’t provide security visibility regardless of where your data resides, it’s time to move on.

#4 They say they do threat hunting, but can’t prove it.

Threat hunting has become a buzzword that MSSPs use to lure in prospective clients. But can they actually back it up? Threat hunting should not be abstract. In our case, we show clients exactly which threats we’ve detected and relevant incidents  right in their portal. This should be the norm, not the exception.

#5 They have restrictive SLAs and a nickel-and-dime attitude.

This one is pretty simple. If your MSSP is holding you to an SLA, or if their own SLAs are prohibitive, they do not have your best interest at heart. Similarly, if they charge for every extra hour or request outside your retainer, they’re loyalties lie with their bottom line, rather than your security wellbeing.

#6 They can’t give you real-time visibility into the service you’re paying for.

Do you know if the services you were promised are being delivered? If service was interrupted, would you be able to tell? If not, it’s time to look for a better provider.

#7 You’re only with them because they were easy to get through procurement.

Would you believe that often customers don’t actually choose their number one MSSP? It’s true! Customers often end up choosing the MSSP that’s best from a budget, procurement or MSA perspective, rather than the one that offers the best services.  With a service that you’ll interact with nearly every day, it’s important not to fall into the “procurement trap.”

Kudelski Security Recognized as Leader in The Forrester Wave™: Midsize MSSPs, Q3 2020

3 MSSP Requirements You Shouldn’t Compromise On

If you decide it’s time to let your MSSP go, it’s important not to repeat the same mistakes you have in the past. Here are three criteria to add to your checklist when selecting an MSSP.

Modern interfaces and collaboration tools. Today’s security engineers have been raised on mobile devices and chat apps. Streamlining the user experience and offering more real-time collaboration will ultimately lead to better client satisfaction.

Tailored, strategic service. An MSSP that customizes its services to your specific environment and is committed to your long-term success will ultimately be more successful than one that relies on a more transactional approach.

Honesty and transparency. Your MSSP will likely not be able to “do it all.” There may be areas where your team is stronger or where a technology vendor may be able to provide better service. Your MSSP should work with you to define and shape requirements rather than claim they can check all the boxes. 

Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment

Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment

NIST CSF, a cybersecurity framework helping uncover unknown risks, set up new controls, break down internal silos, achieve cybersecurity maturity.

As cybersecurity continues to mature and be at the top of everyone’s mind, a natural shift has occurred from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated with their valuable assets.

Blocking every threat would be nice but is cost-prohibitive (not to mention nearly impossible). Instead, organizations are responsible for allocating resources to reduce areas of cyber risk within their defined tolerances levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.

The NIST CSF was first published in 2014 under the Presidential Executive Order of ‘Improving Critical Infrastructure Cybersecurity,’ which called for a standardized security framework. Existing frameworks like NIST 800-53 and ISO 27001 provided specific controls and processes, while the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program from a more strategic, business-centric view.

Why use NIST CSF?

One of the major benefits of NIST CSF is that it’s far less prescriptive than other cybersecurity standards as it is more open to adaptation. Any organization can use NIST CSF to identify and fill gaps in their cybersecurity program. That said, while the framework can be useful for achieving compliance goals, it is not a compliance exercise. Instead, it’s a tool to assess, identify risks, and put controls in place to address them.

The framework categorizes cybersecurity maturity in four tiers:

  • Partial: Controls are put in place ad hoc and issues are mitigated reactively.
  • Risk-informed: Controls are in place but usually not organization-wide.
  • Repeatable: Controls are formally approved and consistently implemented.
  • Adaptive: Controls are continually updated to reflect current threats and activities.

Moving from one tier to the next requires a cultural change, investment of time and resources, and formal coordination between cybersecurity and the rest of departments within the business.

NIST CSF provides a ‘closed-loop’ for continuous improvement in cybersecurity. By regularly assessing the current state of different controls and setting objectives for improvement, an organization can systematically reduce cyber risk.

Incorporating NIST CSF into your cybersecurity program

The framework does not meet every organization’s needs nor is it intended to replace others. NIST CSF is a descriptive (not prescriptive) framework, designed to be adapted to the needs of any type of organization. To get the maximum benefit, security leaders need to assess where the framework fits within the company’s needs and where it doesn’t. They also need to be mindful of the framework’s gaps (e.g. emerging technologies) that might be overlooked and consider complementing the framework’s controls with others specifically design for the current business and security challenges.

Organizations aren’t limited to using one cybersecurity framework. NIST CSF works well with other available frameworks, which may incorporate a blended set of controls because they fit both business and security needs. This is also applicable when an organization intends to obtain a certification (e.g. ISO/IEC 27001) or needs to meet regulatory requirements.

In addition, if the organization is coming from a place of low cybersecurity maturity, NIST CSF can be the stepping stone to build a foundational cybersecurity program. Next steps would be to develop a reasonable and attainable roadmap that can be created to improve said maturity for the future state.

Through the process, it is vital to get the buy-in from the business. This is to ensure that security is built into the culture and that the framework is formally integrated, aligned, and prioritized in the day-to-day operations.

NIST CSF assessments

A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year; however, in lesser or unregulated industries, it is recommended to get an assessment every two years due to the continual evolution of threats.

A typical NIST CSF assessment follows three steps:

  • Step #1: Interviews and workshops with relevant subject matter experts and control owners.
  • Step #2: Review of documentation (policies, standards, and procedures) and evidence of controls in place.
  • Step #3: Report on the detailed findings, risks, and recommended steps to remediation control weaknesses or gaps in the current cybersecurity program.

It’s important to work with a qualified, independent assessor who has seen how the controls are applied across different industries and similar organizations. An experienced assessor can give organizations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate ‘hot topics’ during the risk assessment ensuring the organization is well protected.

Leveraging a professional brings many benefits for an organization, including:

  • Uncover control weaknesses and hidden/unknown risks. Interviews include discussions on how and where systems are connected and protected, which often uncover unknown risks. Likely to happen when operational and security departments act as silos and/or don’t have formal and centralized processes.
  • Identify areas where additional resources would help reduce risk. Risk reduction is fundamental, and NIST CSF assessments are valuable to identify the most important areas for investment of human, technology, and financial resources.
  • Realign cybersecurity priorities based on independent perspectives. It’s easy for decision-makers to ignore internal voices, but harder to do so with an unbiased independent assessment.
  • Address questions from executive management. An assessment provides an impartial answer to “Are we covering all major information security risks?” and boosts executive confidence in the program.

If you choose to work with an assessor, remember to always be transparent. Sharing all weaknesses enables the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.

Risk assessment for Covid-19 and beyond

Covid-19 showed us the importance of having plans in place to address business continuity, security in the supply chain, and vendor risk focused on the resources that affect the organization’s up-stream and down-stream operations. Many organizations found themselves in the uncomfortable position of having to alter business operations because they didn’t assess or develop action plans.

Leveraging the NIST CSF, organizations can work on their cybersecurity maturity in a time when threats are constantly on the rise. Having a qualified assessor review your organization’s cybersecurity program, specifically using NIST CSF, can be helpful to identify risks that aren’t intuitively obvious but could cause serious disruption when they become a reality.

Cory Steinbicker, Senior Advisor – Strategy & Governance, Kudelski Security

This article was originally published in IT Pro Portal.

MSS is dead; Long live MSS!

MSS is dead; Long live MSS!

Automated detection will fail. This is not a FUD (Fear, Uncertainty, Doubt) statement designed to strike fear into the hearts of CISO’s, it’s a fundamental problem that’s unlikely to be solved in my lifetime. This problem is not limited to technology alone, sometimes it’s a failure related to process or people, and sometimes it’s a murky mixture. Add any sort of complexity to the mix and the odds become greatly stacked against us.

Regardless of the reason, these factors can result in a failure to notice something bad happening in our environment and puts us in an awkward position. The investment we made to protect ourselves works as intended, but only most of the time.

As security professionals, is it time to admit that we can’t spend our way out of being vulnerable to a breach; as security vendors and service providers, is it time to admit that we can’t actually stop every breach?

IFTTT (If This Then That) or what?

This doesn’t mean we shouldn’t have great technology, people, and processes helping us to make decisions about the activity going on around us. Air disasters have dramatically and steadily declined over the past couple of decades. This is mostly due to advances in pilot training, the design of the planes themselves and fly-by-wire automation technology that most come equipped with today. However, accidents still happen; airspeed indicators freeze over sending instruments into chaos prompting pilots to chase down problems and react in ways that aren’t necessary to resolve the actual problem thereby making the overall situation worse.

We are in a similar situation, great technology that keeps us safe, well-trained operators following a solid process, and automatic detection of most threats.

At this point our conversation can go in many directions, perhaps we’d talk about Risk Mitigation, Security Control Frameworks, the future of AI and Machine Learning, blockchain, next-gen, virtual reality, etc. but you already hear enough about those. I want to talk about this problem from a Managed Security Services Provider perspective.

Does MSS drive value to its clients and are consumers of Managed Security Services expecting enough of their MSSP?

MSSP’s, in general, are not delivering on their promises. “We are an extension of your team”: hardly, as nearly every time you talk with your MSSP it involves explaining something you’ve already explained many times in the past. “You can take advantage of our wide visibility into a large client base to realize improvements in our detection capabilities for you”: doubtful, most MSSPs don’t have the infrastructure or process in place to ensure this actually happens. “We don’t just throw alerts over the fence to our clients”: no comment necessary here, I imagine.

Truth is that MSSPs struggle to provide value. The majority of MSSPs were created when a client opportunity came up to manage and monitor a technology, and due to this, most are only built to monitor security technology and the alerts it generates. This continues throughout the life of the provider. Got a new technology you need managed? MSS will take it on!

On the other hand, consumers of MSSP services have been conditioned to expect that the value of these services is in the expansion of their security device management and monitoring to 24×7 by a larger set of eyes. This is a great expectation, but what some may not realize is that an MSSP will have the same struggle to contain technology sprawl as any enterprise. The more technology an MSS manages and monitors the harder it is to be effective and efficient at doing so. The complexity of it all becomes overwhelming and service delivery suffers as economies of scale disappear. MSSP’s compete in the same job market as everyone else, so this complexity leads to stress and job dissatisfaction which inevitably leads to analyst turnover, only exacerbating the problem. It might be interesting to note that clients tend to overlook blips in service during the duration of the contract because the value is in the coverage, not the actual outcome of the service. At renewal time, however, the realization that little value was delivered is exposed and many organizations look elsewhere (or internally) for a SOC.

Lessons learned.

These are just some of the problems with legacy MSSPs (yes, there’s more) and with over a decade of experience working for some of the biggest and best, I consider them lessons learned. When we came to Kudelski Security in 2016 we asked for and were granted the opportunity to stop selling our MSS and take a hard look at our service model and at the MSSP vertical in general. With the lessons learned in mind, we went about the process of rebuilding everything on top of our Cyber Fusion strategy. Sitting together in many (many!) meetings a fundamental and critical objective bubbled up. We need to deliver value to our clients, not just the perceived value based on extending coverage of internal teams but real value based on business outcomes that reduce overall risk. To do this we needed to understand how to contextualize the modern threat, detect a breach quickly, and limit the impact.

Assume Breach.

Automated detection will fail and we should assume breach, this is the genesis of our strategy to tackle delivering those business outcomes. When we started to work on our infrastructure, our goal was to have the top Threat Monitoring Service in the world. We built in the capability to ingest business context just as easily as we could ingest curated threat intelligence. Luckily Kudelski Security provided us with a team of 30 DevOps engineers dedicated to MSS.

If an organization is monitoring junk, sending that junk to an MSSP doesn’t make it better so we created a set of standard Use Cases which we could deploy regardless of technology as well as the capability to customize Use Cases as needed so our clients could consume alerting with consistency across their environment. We see the network perimeter as deteriorated, so we placed extra focus on the endpoint by developing Managed EDR and Attacker Deception Services, which landed us in the 2017 Gartner MDR Market Guide. By the way, we do have a select set of great technologies we manage as well. This list is kept intentionally small for the reasons we covered above.

If we had stopped there, Kudelski Security would be a great MSSP; we wanted to be greater.

Challenge the MSSP vertical to change.

Fundamentally I want to see all MSSP’s better protect their clients. To induce this market change we provide Threat Hunting as part of our Threat Monitoring Service at no extra cost.

We believe this is what every MSS, every SOC, and every security team should do regularly because automated detection will fail and we must assume breach.

Threat Hunting is an integral part of Threat Monitoring and as such should not be separated on a pricing sheet.

Our hunting is not just marketing lip service either, it comes in 3 flavors and they are all included with our Threat Monitoring.

  • Structured
    • We have a set of Threat Hunting use cases which we monitor for anomalies 24/7/365
  • Targeted
    • We meet Monday – Friday every week to identify noteworthy threats to hunt. It could be based on input from our clients, from what we’ve seen in the intel community, or what we’re seeing with fast-breaking threat events such as notpetya, wannacry, etc.
  • Creative
    • We enable every analyst regardless of level to hunt, at any time, based on their hunches and intuition. If you see something interesting, hunt for it.

Our threat hunting is performed by our own MSS Analysts and not a separate professional services team who mostly do point in time projects. We are always hunting, searching for that clue, that breadcrumb, that something is amiss. We’ve found hidden threats otherwise missed by monitoring. Hunting also allows us to continually improve as many of our hunts have resulted in new monitoring techniques. Allowing everyone to hunt has also increased the job satisfaction of our analysts, virtually eliminating turnover.

If it works for us, it can work for everyone and it should be a normal part of your threat monitoring program.

Francisco Donoso, our lead MSS Architect is writing a follow up to this post titled “SIEM is dead, long live SIEM”. He’s got some great content that emphasizes the work we’ve put into the some of the technical ideas behind what we are all about as an MSSP.

Wrapping up.

Automated detection will still fail, and breaches will still occur, but with our approach, we can contextualize the threat, reduce the time it takes to detect a breach and limit its impact.

MSSPs out in the marketplace, consider this a challenge. We hope you will accept?

Cyber Resilience – A Primer Part 2: Your IR Team Will Fail to Identify Threats and It’s Going to Be Your Fault

Cyber Resilience – A Primer Part 2: Your IR Team Will Fail to Identify Threats and It’s Going to Be Your Fault

Your Incident Monitoring team will fail to detect active threats to your business. Not because they are unskilled, lack specific tools, have limited visibility, or are resource constrained. They will fall short first because you failed to provide them with the focus they need to identify relevant cyber threats.

In my first post in this series, we talked about defining a mission statement with a set of business objectives to help focus your security team’s efforts. This post focuses on how to strengthen your team’s ability to identify the cyber-attacks against your business.

The task before all of us in the security field is growing in complexity with each passing year.

  • What are the business impacting events that could disrupt your company’s ability to execute its primary revenue sources?
  • Do you know what systems would be targeted by Threat Actors? Do you know what is the Threat Actors focus or “Actions on Objectives” will be?
  • Which Cyber Business Threats should your business focus on to enable your business to continue operations during a major security incident?
  • What Threat Actor methodology should your IR team focus on identifying within your environment?

Qualifier: If I asked you how good your threat detection capability was, the chances are you’d believe them to be better than average and would answer as such. Now, what if I were to ask you how confident you were in your team’s ability to detect a few specific threats: data exfiltration, sensitive data exposure, hacking attempts against your web applications, brute forcing of open ports, and use of compromise credentials on cloud services?

Still confident? You’re not alone. Kudelski Security’s IR team works with many clients who – at the beginning of an engagement – believe their detection coverage is significantly stronger than their actual capabilities. The confusion stems from a failure to understand the limitations of the technology stack, underutilized or unrealized technologies capabilities and “a lack of business defined threats that provide clear monitoring requirements against top business threats.”

Example: At a Fortune 500 company with around 10 billion in revenue (with a large security stack); the Security Lead confidently stated they had excellent detection capabilities and they regularly reported such to their stakeholders. After our review, we identified that they had less than 20 generic detection capabilities enabled through their SIEM, IDS and other detection capabilities. They lacked direction from their security leadership in identifying which cyber business threats were the most important, as well as the follow through to ensure that top threats were being monitored.

Evaluating the “Top Threats” to My Business?

Considering the impact each cyber-attack type can have on your business is a critical step to preventing, detecting and responding to cyber-attacks. Kudelski Security refers to these threats which are the opportunity for a Threat Actor to execute a Cyber Attack Campaign against any business. The Cyber Business Threats are grouped into categories based on attackers’ general sets of motives:

  • Cyber Espionage
  • Cyber Crime
  • Insider Threat
  • Denial of Service
  • Third Party Risk
  • Data loss and exposure
  • Business Process Manipulation
  • Corporate IT Resource Hijacking
  • Cyber Propaganda
  • Regulatory / Non-Compliance
  • Hardware / IoT Intrusion
  • Misconfiguration / Miscellaneous Error
  • Physical Theft

Selecting the top threats isn’t easy and takes a deep understanding of your business and the Cyber Threat Landscape. While going into the Threat Modeling process is outside the scope of this post, I recommend that you assume that two of the following listed will be within your Top 5 Cyber Business Threats list: Cyber Espionage, Insider Threat, Organized Cyber Crime and Third-Party Risk, four Cyber Business Threats prevalent within most organizations’ Top 5 lists.

Once you select your Top Threats to the Business, you can pass these along to your IR/Monitoring team. Little has been published in the security sector on the complex translation of these Top Threats into a comprehensive set of detection capabilities. To compound the problem of the lack of documentation, the security industry is still defining its terminology for referencing Cyber Threats, Threat Actors, Business Risks, Incident Impacts, and capabilities.

Example: A specific Threat Actor category is often referred to as “Insider” while the Threat faced by a business is referenced as “Insider Threat.”  How do we translate an “Insider Threat” into actionable requirements for the Incident Response Team? Consider that the Threat Actor “Insider” can be a Disgruntled Employee, Contractor or even a Trusted Third party. How do we accurately associate our existing detection capabilities with each threat type to ensure that we have adequate detection against these threats?

Kudelski Security recommends focusing on the following Threat Actors “Actions on Objectives” which can provide insight into their attack goals. To enable your IR/Monitoring team for success, consider the “Actions on Objectives” as part of the Threat Actors methodology. The Tactics, Techniques, and Procedures (‘TTPs’) used explicitly by Threat Actors to reach their goals should be the focal point around which threat detection and prevention is prioritized. Map out how each one can be executed against your critical assets and sensitive data stores; Financial Gain, Account Compromise, Business Disruption, Gain Industry Advantage, Damage Reputation, Obtain Indirect Access to Target, & Intelligence Gathering.

Now we will combine the Cyber Business Threats with the Action on Objectives to understand the specific risks to your business. This is not a one-time consideration that will outline all prevention and detection capabilities for all threats. The process of selecting your Top Cyber Business Threats and then viewing their specific Actions on Objectives will provide you with insight into how an attack could accomplish their objectives.  As your business changes, you will need to reevaluate how you are protecting the business.

I often like to compare this to both of us standing in a field with the countryside stretched out before us. I point to a spot in the distance and tell you, go there. If I place no limitations on the path you take, you are open to being as creative or straightforward as you want. In Cyber terms, attackers are continually discovering new paths never considered before which constantly keeps security several paces behind. The crucial part is to know what attackers are trying to accomplish within your organization and create the controls and detection capabilities to mitigate the risk.

Example: The Threat Actor category for Cyber Criminal and their Actions of Objectives for Financial Gain can have multiple paths to achieve their objectives. One consideration is that each of these examples has a different level of sophistication, as not all cybercriminals are created equal.

Here are a few examples:

1.) A spammed phishing campaign leads to ransomware on 10% of your computer systems which could leave your business at a standstill. Which controls are most effective in this scenario? 

2.) An open port is a brute forced by the Threat Actor, and the credentials are used to collect data from internal file shares. Then the Threat Actor extorts you for financial gain or he will release all the data publicly. Can you detect outbound data exfiltration? Could data be exfiltrated through a cloud service?

3.) Finally, Malware is installed into your cloud environment that utilizes a cryptocurrency that spikes your CPU cycles costing your business for those cycles. Considering the total level of effort for containment and remediation needed to ensure a secure environment. Would segmentation have limited a Threat Actor’s capability to access the file shares?

The approach outlined in this article can assist you with laying the foundation of your Cyber Strategy. Understanding which type of Cyber Business Threats your business is susceptible to can provide scope and direction to your program. The challenge is to stay focused on current cyber trends and ensure that your cyber strategy aligns with Threat Actors methodology.

 

Cyber Resilience – A Primer Part 1: Defining Your Security Program’s Mission Statement

Cyber Resilience – A Primer Part 1: Defining Your Security Program’s Mission Statement

What is the number one thing your security team can do for your organization? Take a minute. It’s hard to pick just one amidst the never-ending salvo of competing objectives that security teams are mandated to meet.

Day-to-day tasks, project management, ad-hoc assignments, side projects, departmental red tape, people who flat out ignore the security group – they all have the potential to derail the fundamental “raison d’être” of your security team.

Defining and communicating a mission statement for your cybersecurity program centers your team’s focus on what matters most to help prioritize competing objectives, manage stakeholder expectations, and, ultimately, better secure the enterprise.

Like an organizational mission statement, your cybersecurity mission statement should reflect the purpose of your team and what you’ve set out to achieve. In other words – why do you exist?

Don’t worry, this isn’t as existential as it sounds, and we’ve put together a straightforward set of guidelines to help you get there.

First, a good mission statement will contain the following components:

  • The team’s main function – what is it that your team does for the company?
  • Your primary customers – who is it that your team primarily serves?
  • Protecting the products and services that make up the revenue of your business
  • The geographic location in which you operate

The one thing your mission statement should not be: generic. Make it specific to your business and how your team fits within it. Otherwise, you risk developing a statement that is unused, stale, and ultimately ignored.

Reaching a business-specific statement requires alignment with overarching business objectives. Best case scenario: your executive team has clearly laid these out, making it easy (or easier) to build upon. Worst case scenario: your probing forces the issue to define these business objectives.

If the organization does not have their objectives set and well-communicated, each department is pulling in a different direction, chasing the next new thing rather than operating strategically. This lack of direction makes it difficult in tracking your teams progress towards any business relevant goals.

Here are few questions that can help you identify and align with business objectives:

  • What are the largest cyber threats to your business?
  • What does your company do that could be a target?
  • How does your business generate revenue?
  • What are the crown jewels of your business?
  • How big of a role does compliance play for your business?

For your team specifically, it’s important to ask:

  • How do you make security an enabler of business?
  • What is the culture you are trying to invoke within your team?
  • Who are the customers you are trying to protect? What of assets are you protecting?
  • What are the limitations and capabilities of your cybersecurity program? How is that reflected within your current team?

With a mission statement in place, you will be able to create a set of objectives that help you achieve your cybersecurity goals. For example, the mission statement “Protecting ABC Inc. and securing their assets from brand damaging cyber-attacks,” might have the following set of objectives:

  • Enable secure communications standards that protect our client’s interests.
  • Ensure an agile vulnerability mitigation process.
  • Hire and/or retain world-class resources to defend and respond to cyber threats.
  • Identify and respond with swift clarity to immediate threats to the business.
  • Be innovate in protecting and enabling our core business.

Each of these objectives provides clear direction for your security team – a north star to guide you when competing priorities, pressure from other groups in the organization, or the next “new thing” threatens to sidetrack you from success.

When evaluating Companies overall Incident Response maturity, a common theme has emerged.  Those who adopt a weak Mission Statement, often have similarly under developed cyber capabilities.  While I’m not stating a direct correlation, I have observed that this lack of specific focus translates to a company’s ability to response to Cyber Incident.

If you currently have a generic cyber security mission statement; we encourage you to develop a more meaningful and directionally engaging mission statement to drive your security program forward. If not, and you’d like guidance in moving forward, please do not hesitate to reach out to us at request@kudelskisecurity.com

Coming up next in the Cyber Resilience Primer series: defining what constitutes a security incident and the related risks they impose.