In the world of enterprise information security, the specific areas of knowledge and expertise that set you apart in your current situation might not be as directly and immediately applicable to a different IT environment or different professional circumstances. You might find yourself in a new position with the same expectations for professional excellence, but with a less intimate sense of what needs to be done and how to do it on day one.
Wouldn't it be great if there was some sort of universal infosec cheatsheet for high-value, quick turnaround projects that can be actioned and appreciated in almost any environment?
For Enterprise Information Security, Context is King
Good leaders understand that success is forged in the fine details of how projects are conceived, organized, and executed. At the same time, it’s always important to balance your focus between strategic and tactical considerations.
In any case, you might not always have the luxury of time and your Board's or CEO’s patience as you endeavor to formulate a cyber agenda and make your presence positively felt. Thankfully, there are certain cyber policies that remain far from standard despite being nearly universal best practices for enterprise security.
That being the case, arming yourself with a ready-to-go agenda based on universal information security best practices is probably the better way to make a positive first impression. The ingredients needed to maintain and grow a successful enterprise information security program will likely be a combination of several main factors:
- What you bring with you, including previous experience and your active interest in latest information security technologies and threats.
- Your ability to understand the finer details of how the organization’s information security projects are conceived, organized, and executed.
- Your view of the bigger picture and ability to see how all the pieces need to come together to drive forward progress.
- The quality of the tools and team made available to and recruited by you.
5 Situation-Agnostic Best Practices for Information Security
It’s important that you not wonder too far into the weeds as you work to make a positive impact. Even with standard security controls and practices in place, most mature IT programs will still find considerable room for improvement in a few key areas.
As such, here are the things a CISO should look to implement his/her first day on the job, even as he/she works to get better acquainted with the particulars of the IT deployment:
- Communicating with the Board in terms they can appreciate
- Cataloging and classifying network devices
- Patrolling the network for possible issues
- Employing micro-segmentation
- Paying attention to the basics
Let's dig into those best practices — what exactly they mean and how best to pursue them.
Communicate with the Board in terms they can appreciate to win their cyber buy-in and support
A Board of Directors typically works very differently than an Information Security department and that difference carries through to the way its members think. Even more pointedly, that difference is expressed in the way people speak within the board room. Speak to an Italian in French and, more often than not, you won’t get very far.
The same principle applies here. For best results, CISOs need to learn to speak the language of the Board, the language of business.
Your ability to openly communicate with the Board could also have a direct effect on their support for your future plans and their willingness to go along with expensive changes.
If you can put your objectives in terms that they can appreciate and frame your requests in sound business logic that they can’t deny, you’ll put yourself in position to succeed. That not only means emphasizing the benefits of how good cyber monitoring and controls injects improved visibility and accountability across the entire operation, but also doing a little bit of internal marketing.
To wit, you should make a point of emphasizing your department's key accomplishments to the senior leadership. In the healthcare industry, for example, the fact that 82% of healthcare companies admit to being attacked in the last 12 months gives you a strong case to promote your achievements not only in the terms of what was done, but also in terms of what was prevented.
You'll want to make sure that the Board appreciates the fact that your cyber insurance premiums have stayed low, that you’ve avoided regulatory penalties, and haven’t allowed cyber insecurity to impact care. Building awareness around these value-adds even if they exist largely in the form of avoided losses rather than outright gains is an important part of bolstering your perceived value and winning broader support
Catalog, classify, and group all connected devices to map and manage the attack surface
Rolling out a mechanism to scalably and accurately catalogue and classify all networked devices is another nearly universal enterprise information security best practice. If you can’t manage what you don’t measure, you certainly can’t expect to secure what you don’t even see.
It’s important that you know:
- What devices make up your technology deployment
- What VLANs or network segments they exist within
- What restrictions/governance that confers
- How they interact with other devices and systems in the course of intended use
- What software and firmware they’re running
- What known vulnerabilities they’re exposed to
- What communication protocols they make use of
- How they’re connected to the network
- What regulatory requirements they’re subject to.
Having that information for the whole of your connected asset inventory is the key to mapping and managing your network, including its security. The problem is that collecting all that information and ensuring it’s up-to-date is an enormous task at enterprise scale.
Moreover, standard network security tools aren’t typically able to identify devices ported into the network via gateways or other intermediaries — leaving a considerable blind and soft spot in your cyber defenses.
It’s for this reason that the right tooling is so essential to success. A smart solution that automatically and continuously monitors network communications in a deep and context-aware fashion to catalogue and classify all endpoints — including those behind intermediaries — is a must
Patrol the network for possible issues through continuous and context-aware deviation from baseline analysis
With an improved understanding of the network and its idiosyncrasies in tow, the next logical step is to look at what’s going on within the network. Having already classified and grouped your networked devices, you can begin monitoring the communications between devices to establish group-specific baselines for normal/healthy behavior and setting thresholds for significant deviations from those baselines.
Of course, in many industries, information will be sensitive or even protected by regulation, so there’s a limit to how intrusive this patrolling should be. For the sake of efficiency too, it’s important, wherever possible, to avoid fully unpacking and examining every aspect of a transferred packet.
Instead, relying on a good understanding of your industry and the particulars of your technologies, you can normally suffice by looking at the directionality of data flows, metadata, and how communications are packaged. The key here is an understanding of how normal usage patterns may look different for each device group based on intended use and the specific communication protocols employed.
If you’re in a new role, let alone a new industry, this will all be much easier said than done. You won’t likely possess the type of expertise needed to effectively oversee such a patrol regime. In such a case, this best practice can still be enacted, but you’ll need to rely on industry-specific and purpose-specific tooling.
In fact, even if you do have the requisite expertise, a dedicated solution probably still makes sense as it enhances processes, offers a sanity check to your conclusions, and removes a lot of the human error that comes with manual processes.
When considering such solutions, you’ll want to ensure broad protocol fluency — especially at it might relate to proprietary protocols in your particular industry — context-aware and AI-assisted DPI, and Layer 7 profiling.
Employ micro-segmentation with segment-tailored policy enforcement
Based on the classifications and grouping you’ve already established, you’ll want to review your VLAN architecture. To take your security to the next level, you’ll want to not only look at device groupings but also the services or applications running on devices. Each device and service group should have their own security policies, reflecting their unique operational needs and risks.
In this sense, the difference between a micro-segmented approach to network security and a more traditional approach is that micro-segmentation takes for granted that threats will somehow make their way past your perimeter and into the interior of your network. A micro-segmentation approach to security essentially redraws new perimeters concentrically within the network around strategic network segments. These “individual” perimeters limit access to each service inside each and every asset — hence reducing the attack surface.
When micro-segmentation is properly implemented, the spread of wormable attacks like the one famously exploited by WannaCry can be slowed and, when the aforementioned patrol regime flags traffic patterns incongruous with normal device use, can be expunged from the network.
This type of approach is widely acknowledged to constitute the most ironclad network security paradigm; at the same time, it requires relationship mapping across network devices and services that is not easily accomplished or maintained at enterprise scale.
This is another instance where availing yourself of the right tool or technology will make all the difference. Smart network security tools can be used to plan policies based on logic rather than manual configuration. This central, rule-based micro-segmentation apparatus is vital to smartly enforcing network security at scale; rolling out restrictive policies tailored for each micro-segment based on an understanding of the operational applications and legitimate workflows for constituent endpoints.
Pay attention to the basics so you can shrink the attack surface and heighten cyber awareness
The simple things are often the easiest to overlook and the hardest to get right. At the same time, when you’re still working to get your arms around a new environment and the complexities of an unfamiliar technology arrangement, getting the simple things right is usually the proposition with the lowest risk and highest reward. That’s certainly the case when it comes to information security.
Cybersecurity is the product of a lot of interconnected actions, policies, and controls. It is a chain and it’s only as strong as its weakest link. Which is why you can’t forget the basics of good cybersecurity, including:
- Staff-wide cybersecurity education/training
- Proper credential management (strong, unique passwords, DFA, etc.)
- Wide-spread use of data encryption
- Deploying and updating high-end firewalls and anti-viruses
- Monitoring for relevant vulnerability disclosures
- Conducting regular recall and lifecycle management
- Updating and patching software wherever appropriate
- Implementing role-based access controls
- Planning and rehearsing incident response procedures
- Communicating and enforcing security standards for third-party partners
A Universal Approach to Information Security
Is your highly specialized professional experience, knowledge, and expertise enough to get the ball rolling quickly and meaningful when your role changes or evolves? Will your go-to box of information security tools and tricks work in a different environment?
The answer to both those questions may well be no. And yet there’s a lot of ground that can be covered even before you achieve an intimate understanding of your unique technology deployment.
Following the above-outlined best practices will not only help show positive impact early, but should accelerate your acclimation to and mastery of your new environment. Better still, showing that impact should afford you the breathing room, trust, and operational latitude needed to take a longer, deeper dive into the specifics of your new environment and really maximize your value to the organization.
These 5 nearly universal enterprise security best practices provide a basic framework for a strong cybersecurity program — regardless of the industry, organization, and technology deployment. With these core imperatives guiding your way — and with the help of the right tools — you should be able to put principal into practice while winning executive buy-in and hardening your security. All without ever needing to compromising strategy for tactics, or vice versa.