Choosing a Cybersecurity Provider
When choosing a partner, do your research. Possibly the strongest sector when it comes to cybersecurity is the Department of Defense. The DoD uses a directive called DoD 8570 to ensure anyone working in the system is qualified. It’s a vendor-agnostic policy that can be received by obtaining different cybersecurity certifications. Different levels of DoD 8570 are reached by obtaining different certifications, such as SSCP, GSEC, CISA, GCIH, GCED, CISSP, CASP, CAP and more. A quick Google search will land you on a chart that spells out the different levels and corresponding certifications.
In lieu of searching for a needle in the unregulated haystack that is the cybersecurity industry, use DoD 8570 as a starting point. This will narrow your search down to more qualified, highly certified potential partners. Search for providers with DoD 8570 qualifications, or many of the certifications associated with DoD 8570. Cybersecurity is a specialty that goes beyond IT – you want someone that has special qualifications. Listen for providers that talk about risk assessment and their certifications.
Getting Buy-In from Key Stakeholders
When you’re ready to upgrade your cybersecurity portfolio, the first obstacle can be stakeholders within your company. Outside of the IT department, it’s not always understood why a stronger cybersecurity strategy is needed – especially a costly one. In this case you need to know your audience.
Whoever is going to approve your budget wants to see cybersecurity expressed in terms of risk management. They want to see it in dollars and cents. There are multiple equations designed by groups like CISSP that take annual rate of occurrence, exposure factor, and loss expectancy and determine a true cost risk analysis for you to present.
For 99 percent of businesses, cybersecurity is a cost center, and only makes sense to the extent that it reduces business risk or saves money. A CFO or other key stakeholder is going to want to know how much it costs and how much it’s going to save the organization in the event of a breach. Use equations, plug your data in, and show the stakeholder that different breaches will cost, how often they’re expected, and how purchasing a new technology can mitigate that cost. Then you’re providing a legitimate return on investment that stakeholders can buy into.
Any given organization needs to assume that it’s been breached or it will be breached at some point in time. Structure policies and technology accordingly.
Whether the cybersecurity provider is designing policies and drills or you’re doing it yourself, nothing has to be designed from the ground up. These frameworks all exist – again, the DoD has protocols such as STIGs and NISPOM. While stringent, these can be expensive to implement. There are also standards created by NIST and ISO that give frameworks for cybersecurity drills, policies and best practices that can be adopted by any organization. The Defense Security Service website has a ton of information for free that can help you build your own policy.
Finally, you’ll want to test your network as often as possible. In the DoD, vulnerability scans are conducted every month. PCI calls for them quarterly. In any case, vulnerability scans should be done regularly. A hacker could get into your network, not find anything they want, but leave a toehold in your network in case they want something down the line. If you don’t scan for them, they’ll stay there forever without you noticing. Make sure you scan after business hours. A number of different tools are available to automatically scan for vulnerabilities, and members of your staff can review results.
If you find a vulnerability you can move onto active exploitation, if you’re willing to take the risk. Active exploitation involves hiring ethical hacking companies to conduct white box or black box hacks of your system. This means the company will hack your network to discover vulnerabilities, either with prior knowledge of your system (white box) or without (black box). This will give you a detailed view of how a vulnerability can be used against you. You can also hire these services if no vulnerability was found but you still want a deeper test of your security measures.
Whatever the reason, ensure that the software, employee, or third party that is testing your system is totally separate from your cybersecurity provider. If you do it internally, the person testing and the person reviewing should be two separate people to mitigate insider threat and corporate espionage. If you hire a third party, ensure that they have no connection to your cybersecurity provider to ensure they are disinterested. You want them to find the problems. This is called a separation of duties and is crucial in the testing phase.
Cybersecurity is one of the most complicated technical problems of our time. There’s a reason you see a new hacking scandal in the news every week. You will be compromised at some point. However, writing a solid RFP, choosing the right provider, putting policies in place, and regularly testing your system will help mitigate the fallout of any potential attack.
Special thanks to Jason McNew of Stronghold Cyber Security for providing information. Learn more about cybersecurity technology from Jason’s interview on My TechDecisions Podcast.