We continue part two of our three-part post to align your SOC with the new business goals, strategy, and plans for resiliency.
As you map the planning out, a reminder that the business context is vital.
Understanding business goals across the entire organization to determine security risks of each objective creates a level ground upon which you build the rest of the security program. This business understanding makes it possible to assess your technology initiatives against business objectives and manage risks on a prioritized basis. In order to gain the full understanding of business context, security leaders should strive to educate themselves and gain full awareness of risk-based cybersecurity in the following factors:
Critical assets: Fully acquaint yourself with the digital roadmap and biz/tech mandates from the C-suite.
Risk appetite: Collaborate, socialize, and really talk with line-of-business leaders, executives, and the board to get a true picture of the appetite for risk around key initiatives, lines-of-business, products, and company infrastructure.
Security culture: Work to understand the current state of your organization’s security culture to be realistic about how fast you can change or mature the program.
Geography: Know where customers, employees, and branch offices exist. Make sure you’ve got a complete picture.
To dive deeper, take a look at your technology initiatives and see how they support the business objectives. Once you understand that link, it becomes much easier to design security controls that align with business goals.
How business context shapes cybersecurity strategy
Start with business objectives and map those objectives to the technology needed to support them. Then assess the technology for inherent risks, design flaws, software vulnerabilities, and other threats. Next, estimate the potential business losses from the identified risks, and use those calculations to determine security controls and mitigations necessary to support business objectives
Don’t reinvent the wheel. There are many excellent resources to help guide a formal assessment of a cyber-risk posture. Consider using a cybersecurity framework like NIST Cybersecurity Framework (CSF) to get a full picture of where the organization is today from a risk perspective and use that baseline to set priorities and strategies to fill in the biggest gaps first.
NIST CSF is great because it also serves as an excellent mechanism to measure future risk reduction, comparing changes from that initial assessment over time. As you progress your program, understand it’s improbable that you’ll achieve maturity levels in all areas, but prioritized and strategic growth over time should be the aim.
Stay tuned next week for the last of our three-part posting from our CEO, Clayton Dukes–but you can take a quick peek at how global enterprises are using LogZilla’s NEO centralized log management platform to improve the efficacies in network operations and security operations teams immediately, saving time and money.