BUILD YOUR CYBERSECURITY PROGRAM
Over 30+ years, Tari Schreider has designed and implemented cybersecurity programs throughout the world, helping hundreds of companies like yours. Building on that experience, he has created a clear roadmap that will allow the process to go more smoothly for you.
Building Effective Cybersecurity Program: A Security Manager’s Handbook is organized around the six main steps on the roadmap that will put your cybersecurity program in place:
- Design a Cybersecurity Program
- Establish a Foundation of Governance
- Build a Threat, Vulnerability Detection, and Intelligence Capability
- Build a Cyber Risk Management Capability
- Implement a Defense-in-Depth Strategy
- Apply Service Management to Cybersecurity Programs
Because Schreider has researched and analyzed over 150 cybersecurity architectures, frameworks, and models, he has saved you hundreds of hours of research. He sets you up for success by talking to you directly as a friend and colleague, using practical examples. His book helps you to:
- Identify the proper cybersecurity program roles and responsibilities.
- Classify assets and identify vulnerabilities.
- Define an effective cybersecurity governance foundation.
- Evaluate the top governance frameworks and models.
- Automate your governance program to make it more effective.
- Integrate security into your application development process.
- Apply defense-in-depth as a multi-dimensional strategy.
- Implement a service management approach to implementing countermeasures.
With this handbook, you can move forward confidently, trusting that Schreider is recommending the best components of a cybersecurity program for you. In addition, the book provides hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies.
Whether you are a new manager or current manager involved in your organization’s cybersecurity program, this book will answer many questions you have on what is involved in building a program. You will be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization’s cybersecurity program.
If you are new to cybersecurity in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization’s cybersecurity program. If you are a manager already involved in your organization’s cybersecurity program, you have much to gain from reading this book. This book will become your go to field manual guiding or affirming your program decisions.
2018, 250 pages. ISBN 9781944480516 PDF eBook; ISBN 9781944480509 EPUB. $39.99.
Chapter 1: Designing a Cybersecurity Program
1.1 Cybersecurity Program Design Methodology
1.1.1 Need for a Design to Attract the Best Personnel
1.1.2 A Recommended Design Approach: ADDIOI Model
1.1.3 The Six Phases of the ADDIOI Model™
1.2 Defining Architectures, Frameworks, and Models
1.2.1 Program Design Guide
1.3 Design Principles
1.4 Good Practice vs. Best Practice
1.5 Adjust Your Design Perspective
1.6 Architectural Views
1.7 Cybersecurity Program Blueprint
1.8 Program Structure
1.8.1 Office of the CISO
1.8.2 Security Engineering
1.8.3 Security Operations
1.8.4 Cyber Threat Intelligence
1.8.5 Cyber Incident Response
1.8.6 Physical Security
1.8.7 Recovery Operations
1.9 Cybersecurity Program Frameworks and Models
1.9.1 HITRUST CSF
1.9.2 Information Security Forum (ISF) Framework
1.9.3 ISO/IEC 27001/27002 Information Security Management (ISMS)
1.9.4 NIST Cybersecurity Framework
1.10 Maturing Cybersecurity Programs
1.11 Cybersecurity Program Design Checklist
Chapter 2: Establishing a Foundation of Governance
2.1 Governance Overview
2.2 Cybersecurity Governance Playbook
2.3 Selecting a Governance Framework
2.3.1 COBIT®5: Framework for Information Technology Governance and Control
2.3.2 COSO 2013 Internal Control – Integrated Framework
2.3.3 Information Governance Reference Model (IGRM)
2.3.4 Information Coalition – Information Governance Model
2.3.5 OCEG GRC Capability Model™ 3.0 (Red Book)
2.4 Governance Oversight Board
2.5 Cybersecurity Policy Model
2.5.1 Cybersecurity Policy Management
2.5.2 Cybersecurity Policy Management Software
2.6 Governance, Risk, and Compliance (GRC) Software
2.7 Key Cybersecurity Program Management Disciplines
2.8 Creating a Culture of Cybersecurity
2.9 Governance Foundation Checklist
Chapter 3: Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability
3.1 Cyber Threats and Vulnerabilities
3.1.1 Threats, Vulnerability, and Intelligence Model
3.2 Cyber Threats
3.2.1 Lesson from the Honeybees
3.2.2 Cyber Threat Categories
3.2.3 Threat Taxonomies
126.96.36.199 Threat Taxonomy Sources
3.2.4 Cyber Threat Actors
3.2.5 Cyber Threat-Hunting
188.8.131.52 Cyber Threat-Hunting Tools
3.2.6 Cyber Threat-Modeling
184.108.40.206 Cyber Threat Analysis and Modeling (TAM) Products
3.2.7 Cyber Threat Detection Solutions
3.2.8 Cyber Threat Metrics
220.127.116.11 Example Cyber Threat Metrics
3.2.9 Cybersecurity Threat Maps
3.3 Vulnerability Management
3.3.1 Vulnerability Scanning
3.3.2 Patch Management
18.104.22.168 Virtual Patch Management
3.4 Attack Surface
3.4.1 Attack Surface Mapping
3.4.2 Shadow IT Attack Surface
3.4.3 Attack Surface Classification
3.5 Cyber Threat Intelligence
3.5.1 Cyber Threat Intelligence Services
3.5.2 Cyber Threat Intelligence Program Use Cases
3.6 Cyber Kill Chain
3.7 Cyber Threat, Vulnerability Detection, and Intelligence Checklist
Chapter 4: Building a Cyber Risk Management Capability
4.1 Cyber Risk
4.1.1 Cyber Risk Landscape
4.1.2 Risk Types
4.1.3 Cyber Risk Appetite
22.214.171.124 Risk Appetite Statement
4.1.4 Risk Tolerance
4.1.5 Risk Threshold
4.1.6 Risk Acceptance
126.96.36.199 Risk Acceptance Statement
4.1.7 Inherent Risk
4.1.8 Residual Risk
4.1.9 Annualized Loss Expectancy (ALE)
4.1.10 Return on Investment (ROI)
4.2 Cyber Risk Assessments
4.2.1 Business Impact Assessment (BIA)
4.2.2 Calculating Risk
188.8.131.52 Risk Calculation Software
4.2.3 Risk Registry
184.108.40.206 Risk Registry Products
4.3 Cyber Risk Standards
4.4 Cyber Risk Management Lifecycle
4.5 Cyber Risk Treatment
4.6 Risk Monitoring
4.7 Risk Reporting
4.8 Risk Management Frameworks
4.9 Risk Maturity Models
4.10 Third-Party Risk Management (TPRM)
4.10.1 TPRM Program Structure
4.10.2 Third-Party Attestation Services
4.11 Cyber Black Swans
4.12 Cyber Risk Cassandras
4.13 Cyber Risk Management Checklist
Chapter 5: Implementing a Defense-in-Depth Strategy
5.1.1 Industry Perception
5.1.2 Defense-in-Depth Models
5.1.3 Origin of Contemporary Defense-in-Depth Models
5.1.4 Defense-in-Depth Layer Categorization
5.1.5 Defense-in-Depth Criticism
5.1.6 Defensive Layers
5.2 Improving the Effectiveness of Defense-in-Depth
5.2.1 Governance, Risk and, Compliance (GRC) Domain
5.2.2 Threat and Vulnerability Management (TVM) Domain
5.2.3 Application, Database, and Software Protection (ADS) Domain
5.2.4 Security Operations (SecOps) Domain
5.2.5 Device and Data Protection (DDP) Domain
5.2.6 Cloud Service and Infrastructure Protection (CIP) Domain
5.3 Defense-in-Depth Model Schema
5.4 Open Source Software Protection
5.5 Defense-in-Depth Checklist
Chapter 6: Applying Service Management to Cybersecurity Programs
6.1 Information Technology Service Management (ITSM)
6.1.1 Brief History of ITSM and ITIL
6.2 Cybersecurity Service Management
6.2.1 Cybersecurity Service Management Approach
6.3 Cybersecurity Program Personnel
6.3.1 Applying the RACI-V Model to Cybersecurity Program Staffing
6.3.2 Applying the Kanban Method to Cybersecurity Program Staff Workflow
6.3.3 Bimodal IT Environments
6.4 Cybersecurity Operations Center (C-SOC)
6.5 Incident Management
6.5.1 Incident Response Management Products
6.6 Security Automation and Orchestration (SAO)
6.7.1 Rugged DevOps
6.7.2 DevSecOps Factory Model™
6.8 Software-Defined Security (SDSec)
6.9 Artificial Intelligence
6.10 Cybersecurity Program Operationalization Checklist
Appendix A: Useful Checklists and Information
Table A-1. Sample Cybersecurity Program Key Performance Measures (KPM)
Table A-2. Threat Fusion Platforms
Table A-3. Cybersecurity Maturity Models
Table A-4. Policy Management Software
Table A-5. Governance, Risk, and Compliance (GRC) Program Software Products
Table A-6. Vulnerability Scanning Solutions
Table A-7. Security Patch Management Solutions
Table A-8. Virtual Patching Solutions
Table A-9. IT Asset Management Products
Table A-10. Cloud Access Security Broker (CASB) Solutions
Table A-11. Threat Intelligence Services
Table A-12. Data Breach and Threats Reports
Table A-13. Managed Security Service Providers (MSSP)
Table A-14. Cybersecurity Automation and Orchestration Solutions
About the Author
More from Rothstein Publishing
Tari Schreider, SSCP, CISM, C|CISO, ITIL Foundation, is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. Co-founder of Prescriptive Risk Solutions, LLC (PRS), he is former Chief Security Architect at Hewlett-Packard Enterprise. PRS designs custom solutions for companies with challenging legal and regulatory compliance issues that need to be solved quickly. PRS maintains one of the world’s largest databases of security and disaster recovery incidents with nearly 12,000 incidents covering 10.6 billion compromised records.
Mr. Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the largest oil and gas companies in the world, an NERC CIP compliance program for one of Canada’s largest electric utility companies, and an integrated security control management program for one of the US’ largest 911 systems. He has advised organizations from China to India on how to improve their cybersecurity programs through his Information Security Service Management – Reference Model (ISSM-RM).
Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected by the 1992 Los Angeles Rodney King Riots, and 1993 World Trade Center bombing. His unique experience came during the 1990 Gulf War, helping a New York financial institution recover after becoming separated from its data center in Kuwait.
Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines including Business Week, New York Times, SC Magazine, The Wall Street Journal, and many others.
He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:
- American College of Forensic Examiners, CHS-III
- Certified CISO (C|CISO)
- Certified Information Security Manager (CISM)
- ITIL™ v3 Foundation Certified
- System Security Certified Practitioner (SSCP)
- The Business Continuity Institute, MBCI
- University of Richmond – Master Certified Recovery Planner (MCRP)
Few companies today could survive without the Internet; you are either part of the digital economy or reliant upon those who are. I am hard-pressed to find a manager today who does not interact with some aspect of the Internet to perform all or some of their duties. Managers have to be cyber-savvy to compete in today’s job market. You must accept that you are or will be working for an organization that takes cybersecurity seriously. To ensure you do not become one of those managers you read about who lets the cyber aggressors in the backdoor, you must also take cybersecurity seriously.
Whether you are a new manager or current manager involved in your organization’s cybersecurity program, I am confident this book will answer many questions you have on what is involved in building a program. You will be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization’s cybersecurity program. If you are new to cybersecurity in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization’s cybersecurity program. If you are a manager already involved in your organization’s cybersecurity program, you have much to gain from reading this book. This book will become your go to field manual guiding or affirming your program decisions.
After 30 years of experience in the trenches, designing and building cybersecurity programs throughout the world, I wrote this book to help the process go more smoothly for you.
In creating this roadmap for you, I was motivated by what I see as a systemic lack of experience of those tasked with designing and building cybersecurity programs. I have three fundamental reasons that lead me to this belief:
First, many managers have never had to build a cybersecurity program from the ground up, resulting in cybersecurity programs based on insular opinions guiding program development rather than sound architecture and design principles.
- Managers involved in cybersecurity can expect an average tenure in their role of approximately two years, which means they are serially inheriting cybersecurity programs throughout their career. This leaves little time to forge experience gained through building a program of their own design.
- In addition, few of these managers graduated from a cybersecurity degree program that teaches architecture and design.
Second, we do not have a generation of managers equipped to build cybersecurity programs.
- By many accounts, there are over one million cybersecurity jobs open in the US and according to the US Bureau of Labor Statistics; this industry will grow by 37% through 2022. Who will fill these roles? Only the recently graduated or certified are available to fill these open positions, neither of which have the experience necessary to build a cybersecurity program.
- Certifications and degrees may not be a true measure of the skills required to build today’s programs, as there is no substitute for experience.
Third, without experience, managers have difficulty separating fact from what I call “security theater.”
- A multibillion-dollar industry of thousands of cybersecurity vendors and consultants driven by their own self-interest can easily lead managers astray. Managers with little experience can easily fall under their spell succumbing to their cybersecurity technologies and program maturity models.
- I have seen many led down a perilous path of cybersecurity programs crammed with technologies that promise to protect their information and assets from hackers but offer little in the way of basic blocking and tackling.
This book is intended to give you the knowledge and guidance that will allow you to choose wisely and avoid the pitfalls I have described above.
My experience working with hundreds of companies will serve as your roadmap to step you through building your own cybersecurity program. In writing this book, I analyzed over 150 cybersecurity architectures, frameworks, models, etc. so you would not have to. I have called out those that I felt were great examples to assist you along your journey. This alone will save you hundreds of hours attempting to conduct the research necessary to identify all the components of a cybersecurity program.
My best wishes as you follow the roadmap to create an effective cybersecurity program for your organization!
Atlanta, Georgia – Cheyenne, Wyoming
Think about a time when you went on a journey, what did you do to prepare? At the very least, you looked at a map and some travel brochures. The map showed you how to get to your destination and the brochures pointed out interesting sites along the way. If you are reading this book, your boss has already told you your next destination – cybersecurity land. Your reason for your trip can be for either business or pleasure. If it is for business, then you are unfortunately inheriting someone else’s program and problems. If it is for pleasure, then you will be able to build your own program from the ground up. Regardless of the nature of your trip, both have one thing in common. They require a roadmap and a Sherpa to make the journey as smooth as possible. Even of you find yourself a passenger (HR manager, attorney, etc.) on the journey, you can still add value to the trip by using this book to ask the right questions.
Each chapter represents a stop on your journey to creating a cybersecurity program. Appendices at the end of the book provide important references to help you along the way. Your journey will look something like the winding road below. Your first stop will have you designing your cybersecurity program, after which you will proceed to establishing principles and policies for how your program should be managed. The midpoint of your journey involves identifying the highway robbers or hackers and other threats you want your program to protect against. Stop four shows you how to assess and manage risk. Nearing the end of your journey, your fifth stop will have you define defense measures required to protect your organization’s assets and information. The last stop shows you how to operate your program and ensure you have the right staff doing the rights things.
Chapter 1: Designing a Cybersecurity Program – Whenever you begin journey, it is best to have your destination insight. A blueprint does just that, it lets all involved in the program’s construction know what it should look like once completed. To begin your cybersecurity program you will need a blueprint that outlines the program’s general structure as well as its supporting components. In this chapter, I offer an ideal state example of a cybersecurity program blueprint as well as introduce you to industry leading cybersecurity frameworks.
Chapter 2: Establishing a Foundation of Governance – The way your company is controlled by the people who run it, is called governance. The way your cybersecurity program is controlled is also governance. Governance is all about making the right decisions for the benefit of the organization. For a cybersecurity program to stand the test of time, it must benefit from proper governance. Governance ensures the program adheres to its design principles. In this chapter, I explain what constitutes a governance program as well as the proper governance of a cybersecurity program. An overview of the top information governance frameworks and models will provide you with an understanding of resources available to mature your cybersecurity program’s governance foundation. You will also learn how to automate your governance foundation.
Chapter 3: Building a Threat, Vulnerability Detection and Intelligence Capability – Your next step is to determine what is most important to your organization. This includes classifying your organization’s information and assets by importance and identifying the types of threats and vulnerabilities to which they are exposed. Next, this chapter shows you how to identify the different points of entry an attacker can use to access your important assets. All these points of entry make up your attack surface, as this is what you will be protecting with your program. I will show you how to create a threat intelligence function that leverages your threat inventory and vulnerability detection systems to reduce the exposure to your attack . You will also learn how to acquire threat intelligence and how to make it actionable.
Chapter 4: Building a Cyber Risk Management Capability – Now that you know the threats and vulnerabilities your organization to which is exposed, a risk profile can be determined. Your risk profile is your organization’s willingness to take risks in comparison to the threats faced. In this chapter, I show you how to leverage industry-leading risk assessment frameworks and calculators to derive your organization’s risk score. I will show you how to organize and manage your risks with a risk register. A register is an inventory of your organization’s risk by order of criticality. Each risk is assigned an owner and plan to mitigate or manage the risk. Importantly, the topic of risk extends past your organization to third parties, allowing you to close an often-exploited loophole that could allow unauthorized access to your organization’s critical information.
Chapter 5: Implementing a Defense in Depth Strategy – Up to this point in the journey your focus has been building the foundation and structure of the cybersecurity program. Now that’s done, we have to populate our program with services and in order to readily find and manage those services we need to put them in a central place, a catalog. The countermeasures service catalog is a repository with a parking space for every one of your program services. Each parking space will include the documents, controls, artifacts and product descriptions that describe the purpose and benefit of each service. The catalog is where you will go to make service enhancements, add new services or retire old services.
Finally, the last chapter is a side-trip on your journey.
Chapter 6: Applying Service Management to Cybersecurity Programs – Many reported security breaches occurred when organizations did not implement their cybersecurity countermeasures properly. These breaches take place because many managers stop just short of their destination. They fail to implement their program’s countermeasures properly to ensure they operate efficiently and effectively. In this chapter, I show you how to deliver and support your cybersecurity countermeasures, managing them in a continuous improvement lifecycle. I will give real-world examples of best practices for service management.
Cybersecurity programs are complex requiring a methodical approach to their design and construction. When setting out on a journey to build a cybersecurity program start at the beginning, resist hopscotching stops, stay true to the journey. This book is a process, emphasizing the benefits of basic preparatory steps that are often overlooked. Your journey begins with creating a blueprint of what you are going to build will end with ensuring your program operates efficiently and effectively.
First off, let me start by saying that I’ve worked with Tari Schreider for over 10 years. During this time, we have developed a friendship based on a shared passion for Information Security. Tari has been a key part of helping me build Information Security programs, and I have been able to take that body of knowledge with me wherever I go as I help other companies build their security programs.
After I took on security leadership for an organization early in my career, Tari and I worked together to develop the Information Security program using the ISO 27001 framework. With Tari’s help, I was able to perform a gap analysis of our existing program, align our current policies, standards, and controls, and build a multi-year roadmap for addressing the greatest threats and highest risks to the organization and closing program gaps. Using the ISO 27001 framework and the concepts that Tari outlines in this book, I could demonstrate to senior management, the Board, and our regulators that our program was organized and comprehensive.
Since that time, I have used that experience to build security programs for several companies where I led security teams. Much has evolved with organizations since we first worked together. Companies have become more risk aware, have integrated security into software development, and have started to use artificial intelligence to assist in analyzing user behavior.
Tari’s book is like a compendium of his knowledge that he’s imparted on me and many others in the industry over the years. It’s based on established frameworks and models and, more importantly, practical experience. While I wish I had this book when I first started, I was fortunate to able to work directly with Tari. However, I know that for those who won’t be so lucky, I plan to make this one of the books I gift to my staff and security friends. This book truly is a go-to field guide for designing, building, and maintaining an Information Security program. It’s perfect both for someone new to the field and the seasoned professional alike. I know it’s a book that I’ll be referencing often, and I think that you will, too.
Chief Information Security Officer, FVP
Federal Home Loan Bank of Indianapolis (FHLBI)
3.4.3 Shareholder Derivative Lawsuits
Nothing strikes fear in a CEO or a board of directors faster than the phrase “shareholder derivative lawsuit.” A derivative lawsuit is a lawsuit brought by a shareholder of a corporation on its behalf to enforce or defend a legal right or claim that the corporation has failed to do. When a shareholder feels that management has not done enough to rectify a situation, the shareholder can sue the company to force itself to sue itself. The directors, management, and in some cases other shareholders of the corporation can be named for failing a duty of care. This type of lawsuit is brought when it is deemed the officers and board of directors have ignored an issue, which in the context of our topic is a serious breach of security.
A growing number of derivative lawsuits targeting officers and directors have been filed alleging claims of breach of fiduciary duty by not ensuring their company’s cybersecurity program was adequate or challenging their conduct following a breach. Some of the more publicly visible derivative lawsuits involved Target Corporation, TJX Companies, and Wyndham Worldwide Corporation (Wyndham). One of your roles following a data breach should be ensuring the board acts responsibly by providing them with accurate, timely information about what happened. This may be difficult as they may see you as the contributing factor to the breach. You will also need to watch for the passage of the H.R.5069, the Cybersecurity Systems and Risks Reporting Act, as boards of directors may be hiring their own cybersecurity expert to advise them during times of cyberattacks and resulting lawsuits leaving you out in the cyber cold.
The actions of a board leading up to and after a cyberattack will be evaluated to determine their duty of care and whether they acted in the best interests of their company and shareholders. Take, for example, the 2014 lawsuit of Palkon v. Holmes, the first case of a decision in a derivative lawsuit resulting from a data breach. Wyndham suffered three data breaches over a three-year period beginning in 2008 resulting in 600,000 compromised customer records. In this case, Dennis Palkon, a shareholder of Wyndham, sent two demand letters to the board requesting they investigate the breach and sue the employees involved. A demand letter is a letter stating a legal claim which makes a demand for restitution or performance of some obligation. The board considered both letters and responded that it would not be in the company’s best interest to do so. Now that Palkon has met the threshold of bringing a derivative lawsuit (issue of demand letters), he filed suit in the US District Court of New Jersey to force the directors to sue their company. The suit named board member Stephen Holmes and nine other Wyndham directors for breach of fiduciary duty, unjust enrichment, and a waste of corporate assets. Unjust enrichment is a claim where defendants believe that directors and officers received bonuses, or the value of their stock increased, through the act of expense reductions by not investing in cybersecurity safeguards.
The case was dismissed without merit; however, valuable lessons can be gleaned from how the board acted during the breaches. These actions proved to the court that they (board) had acted in a fiduciary manner. Their efforts included discussing the cyberattacks and the company’s security capabilities during 14 quarterly meetings during the period of the breaches. The board appointed an audit committee to investigate the breaches. The committee met 16 times and regularly reported back to the board. And finally, the company hired a computer forensics company and technology company to implement cybersecurity program enhancements. The board was also actively involved in the previously filed FTC lawsuit against Wyndham for failures in their cybersecurity program. The actions the board took were anything but gross negligence claimed by Palkon. This case underscores the critical importance of a board involving themselves in a company’s cybersecurity program. The board did have a bit of luck in their case – the derivative lawsuit was filed after the board had acquired three years of a security breach and cyberattack experience. Most such suits are filed immediately not giving a board much time to prepare.
TIP: As someone involved directly with your company’s cybersecurity program, you may be personally sued in a derivative lawsuit, meaning the company could be forced to sue you for the failure of duty or negligence in a data breach. Ultimately, a personal lawsuit could end up costing you tens of thousands of dollars in attorney’s fees. You should discuss with your management how your breach-related legal expenses would be handled in such a scenario.