In my first blog post I talked about how to create a security organization. Once you have an idea of how you want to structure your security org the next step is to build a strategic plan. This plan will cover what you need to do, what order you need to do it and why you need to do it. It will also inform how to employ your resources or what type of resources to request if you need to hire. You may start working on this plan from day one, but most likely the plan really won’t become clear to you for several months or longer. The way one of my mentors described it is – the higher up in the org you are the more impactful your changes are, so you want to take longer to develop and execute the plan to minimize negative effects of the changes you will make. The only way to minimize the effects is to talk to everyone possible and get buy in from key stakeholders to the security org.
The rest of this post will talk about the steps I used to build the plan that I still use today. The steps are adapted from the CIS Critical Security Controls and from the CIS RAM. We adapted their process so it worked better for us.
Step 1: Choose A Framework
There are a lot of frameworks out there, but by far the most popular are NIST Cybersecurity Framework (800.53) and the CIS Critical Security Controls v8 (Top 18). Both of these frameworks have mappings to each other so you can go back and forth if needed.
Why use an industry standard framework?
- Standard terminology when you talk to other companies, auditors, internal groups, etc.
- Clear completion requirements (avoid scope creep and never ending projects)
- Prioritized list
- Objective, repeatable and scalable process for measuring security maturity and risk
I personally like the CIS controls because it is simpler to follow and has accompanying plans like the CIS Risk Assessment Method. However, both CIS and NIST are great and you really can’t go wrong with either one.
Step 2: Review and Prioritize The Controls
Review & Adjust
This is a really important step because not all of the controls will apply to your business or some of the controls may need to modification to make them relevant. Spend the time one this part up front because it will help you later when you try to close things out.
Prioritize
Once all the controls are clear, go through and prioritize the order you want to do them. In the case of CIS there are three types of implementation groups – basic, foundational and organizational. You can start with the implementation group that relates to your organization size, or you can treat the implementation groups as maturity levels (which is what we did). As we matured we moved from the basic to the organizational implementation groups and this was helpful in the earlier days to help us focus and prioritize. Each implementation group has different sub-controls that specify what you will need to do and they increase in scope.
Step 3: Baseline Risk
The next step is to gather a risk baseline against all of the controls. This baseline indicates how much risk your business has if they did nothing against the controls. This is really important because risk is subjective and no business will have the same risk baseline, risk tolerance, etc. You can follow the CIS RAM for this step or follow what I did (which was based on the CIS RAM). In my case I used a scale of 1-5 to baseline risk against the following:
Impact – What is the impact on our ability to respond or conduct business by not having this control implemented in the event of an incident?
- An imperceivable impact on our operations, services or revenue
- A noticeable, but low impact on our operations services or revenue
- A noticeable, but medium impact on our operations, services or revenue
- A noticeable, but high impact on our operations, services or revenue
- A catastrophic or unrecoverable impact on our operations, services or revenue
Likelihood – What is the likelihood of a security incident if we don’t have this control implemented?
- Not foreseeable – We don’t think it can happen
- Foreseeable, but timing uncertain – We think it can happen, but aren’t sure when
- Expected, but uncommon – We know it can happen, but it doesn’t happen often
- Common – We know it can happen and it happens often
- Imminent – We know it can happen and it is happening now (or all the time)
Example: Assess each control for the maximum risk to the business as if you did nothing
CIS control 8.2 – Establish Audit Logging
Likelihood – Noticeable High (4)
Impact – Common (4)
Next we multiply the two scores together to get the maximum risk for the control, which in this case is 16 (4×4).
Next evaluate the risk against a scale. We created the following risk scale to evaluate risk as low, medium or high to help us prioritize. The risk scale has a minimum of 1 and a maximum of 25 (you get these from multiplying the lowest and highest of likelihood and impact together). So the risk scale looks like the following:
Low < =5
Medium >5 & <=12.5
High >12.5
This scale is subjective and I recommend adjusting it based on the risk tolerance of your business. In our case, we created this scale to orient around the middle (3×3) in attempt to equitably distribute risk between low, medium and high to try to avoid bias towards one extreme.
Step 4: Create A Progress (or Maturity) Baseline
Baselining your plan and risk is an important step. It tells you where you are doing well, where you need to focus, how to prioritize, how to invest and how to assign resources. Most importantly, it documents the progress you are making to reduce or manage risk and it is a useful way to align stakeholders.
To baseline progress we used the following scale:
Not Started – Gray
<=50% – Red
>50% & <=80% – Yellow
>80% – Green
Verified Complete – Blue
The nice thing about this model is you can assess progress for multiple groups at whatever level you want (project, product, group, division, etc.) or you can just do one for your entire org. In our case, we broke it out by division and then averaged it to provide a single view for the whole org.
Step 5: Link Progress to Risk
Now that you have a risk baseline – (maximum risk for not doing anything for each control) and you have a progress baseline (where you are starting from) you can now link the two together. This is important because as you make progress on the different controls it will reduce risk for your business. In our case we used the following scale:
Not Started – Gray No Change From Baseline (Multiply Risk by 1)
<=50% Complete – Red Multiply Risk by .75
>50% & <=80% – Yellow Multiply Risk by .5
>80% – Green Multiply Risk by .25
Verified Complete – Blue Multiply Risk by .1
Example:
CIS control 8.2 – Establish Audit Logging
Baseline Risk – 16
Baseline Progress – >50% & <=80% Yellow
New Risk Score – .5 * 16 = 8
This means risk has been adjusted from High to Medium because we have made progress on logging
Step 6: Repeat This Process For All Controls To Build A Full Dashboard
Ok let’s bring this all together. At the time of writing this blog the CIS site to download v8 isn’t working so I’m going to use a copy of v7.1 that I have.
To simplify, I’m just going to use one control from each control group so for v7.1 there will be 20. This example shows a fictional organization that started by having zero controls implemented at the beginning of the year and then were able to make progress against all of the controls to have their progress complete and verified by the end of the year (I wish!). I’ve added coloring to create a classic stoplight chart and a graph showing the risk reduction by quarter.
Final Thoughts
Whether you use the CIS Controls and RAM or you use my example, this is a great way to create a strategic plan and begin focusing your resources on the highest risk areas. My team still uses our original plan as reference and we update it periodically as we make progress against various controls. In fact, we just updated it for a board meeting and I was able to show our progress against risk over the past three years (over 70% reduction).
We even used this plan to gamify how our risk reduction would change based on what controls we chose to implement next. This allowed us to plan ahead and forecast what risk reduction we were expecting each quarter or after a major control was implemented.
One important thing to note is that there will always be residual risk within the organization. You can never make risk go to zero. If you happen to have an area that is still high risk (even though you implemented a sufficient control) then that is an area you may want to focus additional people, processes, etc. to try to effectively manage that risk in parallel with technology.
Finally, this plan has limitations. While it is an effective way to measure static risk, it isn’t measuring dynamic risk.
What’s the difference?
Static risk – is measuring how well a control was implemented.
Dynamic risk – is measuring if that control is effective against the changing threat landscape.
I’ll talk about this more in a later blog post.
Reference Files: Use the template below to follow the process above. Simply click the drop down for the appropriate cell under Risk or Maturity and everything will get calculated for you including the graph.
Link to CIS 7.1 Strategic Plan Template