SECURITY

Best Practices for Delivering a Business-Driven Security Posture

The main focus for cybersecurity teams — moving beyond compliance — is to deliver the level of security required to manage the likelihood of a breach and the potential impact to the business. This is more effective than simply focusing on the cost of delivering security services.

To transform your cybersecurity program, you need to define your attack surface and the controls required to protect it, establish the level of security required to manage the potential business impact of a breach, and align with the goals and objectives of the enterprise. In short, you need to define, establish and manage your organization’s security posture. 

Define Your Security Posture

This requires a disciplined approach when defining your organization's initial security posture, which includes a defined attack surface and the controls necessary to protect it. If you start with assets that — if breached — would inevitably have a negative impact on the business, your scope will be too broad, and you won’t know where to start. Instead, the initial scope should focus on a manageable set of assets that have the highest business relevance (expanding that scope over time).

There are three components that define an organization's security posture:

  • The attack surface — Data could likely be compromised or business operations disrupted if certain assets are breached. This involves identifying the sensitivity of the data and criticality of the business operations supported.
  • The controls deployed to protect the attack surface — These controls effectively limit the likelihood of a breach and/or the potential business impact (this includes controls outsourced to third and fourth parties). Defining the requirements for each control includes: the measurements of the efficacy of the control, the targeted level of control efficacy and the attack surface the control covers.
  • Attack vectors that are not covered by deployed controls — Identify possible attack vectors that expose the assets where there are no (or limited) controls to reduce the likelihood and/or impact of an attack.

Establish Your Security Posture

Consider the potential financial impact if your data is compromised or business operations are disrupted, and assess how your current application of controls (level of security) reduces the likelihood and/or the impact of that breach. This starts with an assessment of how effective your security controls are at reducing both the likelihood and impact of a breach.

Establishing your security posture includes:

  • Determining the potential impact of the data that’s compromised or business operations disrupted if the scoped attack surface is breached.
  • Current controls deployed, their measure of effectiveness (KPI) to reduce the likelihood and impact of a breach and the targeted control efficacy required to provide the level of security needed to reduce the likelihood and/or impact of breach — in other words a service level objective (SLO) for the controls efficacy.

Manage Your Security Posture

Manage your security posture in alignment with the strategy and outcomes of the business. Once this has been defined and established, you’re now in the position to manage the security posture in accordance with the strategy and objectives of the business.  

The three main components to managing your security posture are:

  • How closely the established security posture meets the goals and objectives of the business.
  • Identification of the opportunity for the control efficacy and coverage to address parts of the attack surface where the level of business exposure (and level of investment) are not aligned with business outcomes and objectives.
  • Plan for business partners and control owners to action the security posture in order to achieve the level of security the business requires in order to be effective.
     

In the next blog, we’ll take a deeper look into the art of defining your security posture.

Brian Spanswick
Posted by

Brian Spanswick

Brian has been the Sr Director of Risk and Information Protection at Splunk since 2018. Prior to that Brian was the Director of Strategic Initiatives and Service Management, Splunk Global Security from 2017 to 2018. From 2015 to 2017 Brian was the Director of the IT PMO at Splunk, Sr Director of IT at McKesson from 2006 to 2015, and Principle Consultant leading ERP Implementations from 2001 to 2006. Brian holds a BA from the University of Colorado.

Join the Discussion