In Chapter 8, we discuss our views on tools and techniques that the CISO can use to validate an organization’s security controls. Each of us provides guidance on how we have used specific tools and techniques and will examine the importance of understanding a tool’s role in mitigating risk and providing actionable information. All of the authors emphasize the importance of collaborating with stakeholders to select the best approach for deploying new critical processes and using tools to measure their maturity.
Through the aggregate of their different approaches, the authors provide the new CISO with a unique opportunity to understand the importance of tools and critical strategies to an organization and their detrimental impact to business operations if not implemented correctly.
Bill approaches this discussion of tools and techniques for CISOs by focusing on the connection between the people on our team, the tools they use, and the continual improvement that is necessary to keep up with the evolving threat landscape. To Bill, knowing which business processes are most critical allows us to invest our limited resources in the best outcome.
Matt starts his discussion with the statement that common sense is one of the best tools a CISO can use to protect their organization. He states that with common sense and some context on the processes that devices are used to serve, the CISO can often provide better service to the company than by purchasing new technology. Matt makes the case that through the use of tools such as a Business Impact Assessment (BIA), the CISO can collaborate with his/her fellow stakeholders to understand the organization’s risks, resulting in a selection of techniques and tools more finely tuned for its strategic business operations.
Gary begins his discussion with a list of best practices he has compiled over the years that an organization and a mature cybersecurity program should use to reduce risk exposure. Gary then provides a list of recommended techniques a CISO and the security program should apply to sustain a more business-centric “cybersecurity as a service” approach. He concludes his discussion by listing and describing the various domains of standard tools that are available to organizations and their security programs to protect enterprise assets.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ What best practices would I recommend that new CISOs implement to reduce risk and provide value to their business?
♦ What actions or techniques can the security program proactively take to better protect organizational assets and preempt threats?
♦ What are some core tools/solutions that I would recommend to a new CISO to support cybersecurity operations?
Tools and Techniques – Bonney
In this chapter, we’re going to cover tools and techniques with an equal emphasis on both process and technology. The temptation among those of us in the technical fields is to think tools first. While tools are often helpful in solving various process problems, an over-reliance on tools is often expensive and usually decreases the effectiveness of any given program. The outcome of working through this chapter should be a roadmap that will allow you to right level your processes for your current requirements and build a technology roadmap for your future needs.
Build the Process Inventory
We’re going to start with a critical data-gathering step. Whether inheriting a mature program or building a new program, the crucial first steps are to document your process inventory and take stock of the tools your organization uses to assist with each process. It’s fundamental that you focus first on your process inventory, understanding how these processes map to your organization’s business objectives. Make sure you completely understand what you are protecting, and from what threats. Know how you are reporting the effectiveness of these processes to management and communicating expectations to your entire organization. It’s important to keep these points in mind as you inventory your tools and map that inventory to your process inventory.
To make sure you get a complete list, use the same information security framework you use for measuring and reporting. In Chapter 5 on measuring and reporting, I listed several options for security frameworks and standards that you can use to determine where you need to have processes and controls in place. PCI-DSS with its 12 high-level requirements and 300+ detailed requirements is a necessary standard for any portions of your network that handle payment card data. Likewise, NIST 800-53 with its 18 security control families and detailed implementation guides provides a wonderful blueprint for a robust collection of processes. Finally, the CISSP 8 Practice Domains and CIS Critical 20 Security Controls provide an inventory of critical must-have processes with which to build a robust program. Any of these will help you create a baseline of processes upon which you can build your inventory and perform your assessment.