A 4-Step Process to Achieve True Cybersecurity Success
Varciti IT Solutions
CompTIA 4 phases to cyber security
June 02, 2022 | By Wayne Selk
Where are you in your security journey? As a cybersecurity practitioner for the past quarter century, this is a question asked of many in the managed services provider community. The answer to the question varies. Some believe they have reached cybersecurity nirvana—that they are experts taking a leadership role; others don’t know how to get started. Some have started and are stalled. Wherever you are in your own cyber journey—or wherever you think you are—you might need help getting to the next step. If that’s the case, view and download the infographic below to help you continue on your way.
The four phases outlined in the infographic were adopted from a ConnectWise whitepaper and video. The goal was to help managed services providers better understand the NIST Cybersecurity Framework and how they could mature their organizations in cybersecurity. The NIST framework is a risk-based framework, not maturity-based. This distinction is very important since most MSPs understand maturity yet lack the understanding around risk.
1. Learn to Walk Before You Can Run
As you review the infographic the maturity model becomes very evident. Phase 1 is about getting started on your security journey. This is the most important phase and one many MSPs overlook. By skipping items in this phase, or the entire phase, MSPs could find themselves very unprepared for the subsequent phases and exposed to a cybersecurity incident.
It is important for all organizations, regardless of size, to have policies documented that are aligned to both business objectives and to the risk tolerance of the organization. Most MSPs feel they are too small for documented policies. Yet they also say they want to grow their business. Having policies documented when the organization is small allows leadership to focus attention on growing the business.
Another important item in this phase is understanding where sensitive and business-critical data are stored, processed and transmitted—both in and out of the company. This requires a complete inventory of all systems and devices, the software and applications, and who has the ability to access the data on each of those components. Once the inventory is complete, assign a risk severity to each of the data items identified. Your critical and high-risk items are the elements in need of the most protection and security controls.
Hopefully, you are not surprised to find sensitive or business critical information not under your direct control. If this is the case, focus your attention on resolving this issue quickly. The last thing you want is a severe negative incident that puts you in danger of losing your business. As you move into Phase 2, please keep an eye on the items from Phase 1. As you grow or as change happens within the organization, you may need to review your policies to ensure they are keeping pace with your business objectives. The same is true for your inventory.
2. Investments, Training Will Pay Off
Phase 2 is all about investing in your people, making your processes better, and solving for gaps with technology when appropriate. This is the opportunity to strengthen the security in your organization and really start developing your cybersecurity practice and culture. With your security skills and solutions inventory complete and keeping it up to date, you have set the business up for success. Instead of wasting precious dollars and time wondering if you have everything protected, you have created the ability to quickly find and assess whether or not the controls you have are able to best protect your business
If you find the controls are not adequate or a gap exists that has the potential for exposing your business data, then determine if a change in personnel or a process may solve or reduce the impact before investing in a technology solution. According to the latest Verizon Data Breach Investigations Report, the human element accounted for 82 percent of data breaches in 2021. Also, 42 percent of data breaches were accomplished using stolen credentials, according to the report.
Technology is not going to solve for the human element and training alone is not enough either. Organizations need to take a very hard look at the security culture within the business. This is one of those top-down items and “do as I say, since I am doing it too” necessities all businesses need to work on regardless of size. Creating a security culture takes time and patience. The reward for doing so will pay dividends every day.
To that end, documented policies can have a direct impact on creating a security-first culture in the organization. Find new ways to increase awareness and understanding for the entire company. Perhaps engage your people to read about a topic or gap in the organization and write a paper or give a brief presentation during a staff meeting. Discuss the topic or gap and uncover ways to solve or mitigate any risk which may exist. Encourage your people to embrace security rather than have them find ways to avoid the controls in place. Reward positive behavior and encourage those who slip to try harder.
3. It’s Time to Start the Conversation
Reaching Phase 3, you are ready to start taking your security show on the road to customers and prospects. Armed with knowledge on how policies help a business and putting your best foot forward around security culture, you’re now prepared to help customers start on their security journey. You may find having conversations around security are easier and less stressful, since you can speak from experience; practice wheat you preach, as it were. Understanding your customer’s needs and helping them align their business objectives raises their awareness and understanding around cybersecurity. Showing clients and prospects that you understand their business helps gain trust, which is the cornerstone for any business relationship.
4. It’s Never the End of the Road
As you move into Phase 4, you begin to realize your journey is all about continuous improvement and helping others succeed. The feeling comes naturally as word of your success spreads across the industry and your client base. It is at this moment you realize the entire organization is hitting on all cylinders; business is booming, and questions are being asked like ‘How did you do this?’ At this point, you’re capable of giving back to the community and your peers. Your community includes your vendor partners and your customers too. Please remember that this is a journey, not a destination. The threat landscape is always changing and evolving, each and every day.
CompTIA is here to help you achieve your goals and objectives as a service provider regardless of where you are in your security journey. We have content to help your people better understand cybersecurity, as well as membership in the CompTIA ISAO to keep you up to date. The CompTIA ISAO is your one-stop shop for threat information and intelligence. Wherever you are on your security journey, the goal should always be for continuous improvement.
Wayne Selk is vice president of cybersecurity programs at CompTIA.