fbpx
Sticky-Widget: Encryption for CMMC using FIPS Validation

Sticky-Widget: Encryption for CMMC using FIPS Validation

by | Aug 20, 2020

History

From time immemorial, it seems like that anyway, the National Institute of Standards and Technology (NIST) issued the Federal Information Processing Standards (FIPS) 140 which outlines the various standards for encryption that are to be used for processing federal information.

There are four levels to this standard.

Level 1: The lowest level of security requiring only the most basic cryptographic modules. It doesn’t require physical security mechanisms either.

Level 2: Takes level one and adds a physical security mechanism such as tamper-evident seals and pick resistant locks.

Level 3: Takes level two and adds more of the same. Harder to get into and compromise without obvious and immediate evidence to indicate the fact.  Also can incorporate auto-destruct mechanisms.

Level 4: This is where the book is thrown at cryptography. The highest level requiring physical and logical protections as well as the strongest algorithms.

Fortunately, the job of deciphering whether your systems are FIPS compliant doesn’t involve a mathematics degree but it does require a bit of work.

Where do we start?

Cryptographic Module Validation Program

NIST has provided a resource for all things FIPS 140. Provided below is a great link to bone up on the requirements and standards that are dictated by FIPS. If you were to peruse the website you’ll learn very quickly that theory and practice are not the same animals. An algorithm itself may be validated as sound, but that does not mean the way a device or piece of software utilizes that algorithm is certified. You could, and when an algorithm is first certified you do, have a certified algorithm that you can’t use because no product or software using the algorithm has been certified.

Every device, module, or software your company employs to handle Controlled Unclassified Information (CUI) must be FIPS certified. There are three methods to handling this:

  • Assume: This is the most popular method of dealing with FIPS compliance. It involves assuming all your devices are compliant or simply remaining ignorant of the very need for them to be compliant. Sufficed to say, this is not our recommended course of action.
  • Vendor Validation: What are support and salespeople for other than answering mundane questions you can’t be bothered to find out? There is one caveat to this. How much do you trust your vendor? This is an important question because regardless of what your vendor tells you, you are ultimately responsible for utilizing a non-compliant device.
  • Self Validation: Go to the NIST website provided below and check for yourself. Does this mean you have to go find every piece of software, hardware, COTS, etcetera that you use for encryption that’s within scope? In theory yes, in practice, not always as we will see below.

Enforcing FIPS

Fortunately, most vendors are cognizant of the need for FIPS validation. As such many provide easy to implement configurations to ensure only FIPS certified technologies are used. For example, Microsoft has a handy dandy registry edit that enforces FIPS-certified algorithms across an entire domain or on a per-machine basis. (Links provided below). Use these options. This would be something to ask all your vendors to ensure updates do not auto-deploy the latest encryption technology which may not be FIPS certified as of yet.

Conclusion

Any time you’re going to be using encryption within scope for CMMC you must use a FIPS validated method. Fortunately, that’s not all that hard to do.  Unfortunately, it still requires some effort on your part. Here are a few things that will make your life easier:

  • Check with your vendor if there’s a “FIPS compliant switch”
  • On those without said switch go to the website below to find your product and make a note of what specific settings and configurations are FIPS compliant. Use those.

It’s another checkmark to address, but I hope it’s not mysterious anymore.

https://csrc.nist.gov/projects/cryptographic-module-validation-program

https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation#step-2–setting-fips-localgroup-security-policy-flag

CMMC Reference: SC.3.177

 

Learn More About CMMC From Cybriant

Click Here
The Beginner’s Guide to CMMC Certification: Three Easy Steps

The Beginner’s Guide to CMMC Certification: Three Easy Steps

by | Jul 21, 2020

The Department of Defense has made it clear that self-attestation is no longer adequate for their supply chain. Cybriant can help make the CMMC certification process easier.

cmmc certification

You know you’ve done this; you’re watching a movie where the outcome of a scene or plot is obvious but the characters don’t seem to have any idea?  That is how I feel about the coming Cybersecurity Maturity Model Certification (CMMC).

You see, I’ve audited and assessed enough companies to see the plot and be yelling at the screen.  A majority of companies out there may know CMMC is coming.  They may even know that it’s different than NIST 800-171r1 and that there are varying stages of compliance.  What they’re missing, what I’m screaming at the screen saying “why are you running further into the woods?!?” is the amount of work needed to bridge the gap of where you are to where you need to go.

It’s a lot.  Whatever you are thinking, it’s more than that.  Much more.

Often companies, even those that are fully or mostly compliant with 800-171 will have possibly hundreds of man-hours to meet CMMC.  What’s a security professional to do?  Start working.

Step 1: Learn

The first step is to download a copy of the latest draft regulations.  Download each document and get reading.  What you’ll find there is a description of what the Department of Defense is trying to accomplish.  The various levels, controls, and descriptions of those controls as well as further explanation.

Next, sign up for the CMMC Accreditation Board’s email alert list.  This will keep you abreast of new developments in the CMMC certification process.  I would also familiarize yourself with the website in general as there is a wealth of information about how everything is going to work.

Step 2: Plan

I wouldn’t suggest starting at the top of the Appendices PDF and going to town on controls.  We must first understand what level we need to meet.  This would be a question for your contract office contact.  They will probably have a good idea of what is going to be needed on the next round of contracts that will require a CMMC component.

Most organizations are going to tell you that as soon as you understand your required level, start working on Level 1.  That is true, but experience tells us there’s actually a few steps that should be tackled before starting work.

The Good, the Bad and the Ugly

Identify those controls that you already fulfill.  The good news is that each control removed is time, money and effort saved.  The bad news is that there aren’t going to be as many removed controls as you might expect.

The number one issue most people face when tackling this task is determining what exactly the government means on a particular word, phrase, or sentence.  Shall vs. Must vs. Could.  It’s quite confusing.  Fortunately, the Appendices not only include clarification information but also the specific sections of documents, such as CIS or NIST, that helped guide the decision.  However, at the end of the day, you can always call Cybriant to help you through the muddy waters.  We eat and breathe this stuff and can help define for your environment what your options are.

Internal or Outsource

There’s a very good chance you’re not going to have the manpower, resources, budget, or capabilities to fulfill every control.  Identify the controls you can tackle internally and those that an outside resource will need to be brought in to help or fully manage.  Each company is different so this is going to be completely deterministic on a variety of metrics.  A good rule of thumb is that you should outsource anything you are not an expert in.  That does not mean you should be wholly ignorant of the subject.  I’m a firm believer in learning enough about a subject so you have a BS meter.

Budgeting

Many organizations miss this.  There’s a good chance you’re going to have to spend money on the upgraded system or security components, services (Level 4 requires a 24/7 SOC), and any number of minor or major expenses.  Go through all the requirements and identify what products or services you may need to purchase.

The process to identify and acquire those items can occur in conjunction with internal efforts on the remaining controls.  Vendors must be found, decision-makers convinced and any number of organization-specific purchasing hurdles jumped before the product/service ends up on your doorstep.  Get started with this ASAP.

Implementation methodology

Once you have what you’ll be doing and what others will be doing it is time to identify the estimated time it will take to complete each requirement you are performing internally.  A rough estimate is fine here as we are simply attempting to ensure that we don’t wait for the last two controls and they turn out to be a two-month project.  We’ll want to always be chipping away at smaller controls while working towards the large encumbering ones.

Step 3: Implement the plan

Finally.  The CMMC already outlines the path towards certification in the five levels.  Ideally, you start with level one.  Once you have successfully fulfilled all the requirements, move to level two and so on until you achieve the necessary level.  That is easy in theory, not in practice.

As discussed in the previous section it is imperative you have identified what you insource or outsource, what needs to be purchased, and what will take the most man-hours.  Concurrent action should be taken on purchasing equipment, outsource service provider contracts, and internal control implementation.  Again, if planned accordingly the most amount of progress will be made with the least amount of effort.

Finally, we can start working on actually implementing controls.  This is where you can take the CMMC at its word and begin on all your Level 1 tasks.  Logically move to level 2 after you’ve gotten the basics down.  In fact, the CMMC calls level 2 an intermediate step to level 3.  No one is supposed to stay on level 2.

Final Thoughts

Notice, the bulk of this blog is related to planning.  It is essential that planning receive the proper attention before actually pulling the trigger on enacting anything.  If you don’t plan properly you’ll increase the work.

Or you could contact Cybriant and we’ll help you every step of the way.

CMMC Draft: https://www.acq.osd.mil/cmmc/draft.html

CMMC-AB Email Alert List Signup: https://www.cmmcab.org/subscribe

CMMC-AB Website: https://www.cmmcab.org

How a Cyber Security Maturity Model Protects Your Business

Jason Hill

Jason Hill

Director of Strategic Services

With over 20 years of experience in the areas of IT Security, Infrastructure and Managed Services, Jason is an accomplished security consultant and security trainer.

Jason has had cybersecurity consulting responsibilities for a variety of clients encompassing the globe utilizing the NIST-RMF, NIST- CSF, and ISO 27001 frameworks as well as his experience as a PCI QSA. Having a background in system architecture and design, Jason brings a uniquely refreshing perspective on information security which provides clients and partners value beyond industry norms.

Learn More About CMMC

Click here
Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)

by | Sep 10, 2019

The upcoming Cybersecurity Maturity Model Certification (CMMC) may be a concern to you if you are a government contractor in an organization that contains Controlled Unclassified Information (CUI). Read on about how Cybriant can guide you through the CMMC process. 

Don’t Panic.

Douglas Adams’s references notwithstanding consider this Cybriant’s attempt at creating a guide to CMMC.  As you may have recently become aware, the Department of Defense (DoD)’s push to begin auditing its supply chain for cybersecurity compliance has sent ripples through the sector.

Now that the initial panic has worn off, you’re trying to come to grips with what exactly all this means.  Before we get started, understand that anything stated here, or anywhere else, is pure speculation until the CMMC is released into the wild.

NOTE: For this article, we are going to stick with a contractor being defined as an organization containing Controlled Unclassified Information or CUI.  There are as many sub-certifications as there are fish in the sea when it comes to the DoD so we’re going to stay fairly high level.  Please consult your contract office or prime to understand any further requirements you may be assessed for.

Timing

The good news is that the official start of hunting audit season is 2020-2021, you’re probably a few years off from actually being audited.

How do I know this?  Mostly because if you’re reading this blog then you probably don’t work for Lockheed Martin, Boeing, Raytheon, or any of the other 800 lb gorillas.

They’re probably communicating directly with their contacts within the DoD for their news.  Odds are you are a sub of a larger contract or the primary of a small contract.

What do you suppose would the DoD’s top concern be?  The security of a primary on their large contracts or the manufacturer of a widget that goes into the said project?  Word is on the street, and logic dictates, that the whales will be hunted first, then the smaller fish.

“Ok,” you say, “I probably have some time but, how do I prepare?”  I’m glad you asked.

Side Note about NIST

The “go-to” for standards for DoD is, of course, the National Institute of Standards and Technology (NIST). And when I say “go-to” I mean DOD Instruction memo (8510.01) says NIST is THE standard by which all ATOs are measured, so what NIST does is important.

In a “whaddayaknow” moment, NIST has recently released an Initial Public Draft (IPD) of the mighty 800-53 publication. If implemented this will advance the publication to version 5.  Also, a few years ago all departments were in a major push to move from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF).

Coincidence?  I think not.

Controls

Let’s discuss NIST Special Publication 800-53 v5 Initial Public Draft.  A smattering of new and revised controls around security make their way into the revised document, as one would expect.  At the end of the day though, it’s all about privacy.  There are two new families of controls that are explicitly related to privacy; Individual Participation (IP) and Privacy Authorization (PA).

Within IP we have these basic tenants:

  • Giving users more access and authority over their data
  • Allowing users more control over data accuracy and corrections
  • Ensuring proper privacy notices are in place

PA contains items such as:

  • Ensuring the organization has the legal right to use Personally Identifiable Information (PII)
  • Have documentation to support that fact
  • Privacy communications are fully developed and implemented
  • What, how, and when, you can share PII

What is more interesting to us is the introduction of “joint controls” between security and privacy.  Also included in the IPD are three new Appendices dedicated to the ‘how’ of implementing the privacy controls.  See a pattern?

Privacy is going to be of major concern going forward.  Just as NIST 800-171 is a subset of 800-53.  CMMC, as discussed previously, will take from NIST 800-171 and 800-53 to produce a list of requirements around any data about a contract, including CUI.  NIST has upped their game/concern for privacy.  It stands to reason that this would make its way into the CMMC.  Table F-2 of NIST 800-53 is a great place to start to begin understanding how important privacy will be.

Because of the privacy emphasis in the industry at large and the latest draft of 800-53 we at Cybriant suggest the following actions to prepare:

  • Develop a privacy program
  • Begin identifying all types of PII captured by your organization
  • Develop or modify training to address privacy
  • Begin updating all policies to address privacy concerns
    • Privacy Policy (of course)
    • Record retention and destruction
    • Communications policy & procedures
    • Business continuity and disaster recovery
    • and more
  • Be thinking about
    • Does your company need the PII it does have?
    • How does your organization communicate privacy concerns to all parties?
    • Who will be ultimately responsible for privacy?
    • How will allowing redress of privacy concerns affect your processes?

Processes, People, and Technology

Yes, that old trope is back.  We’ve heard it a thousand times but, it is our belief contractors will need to start getting their ducks in a row now if they want the road to CMMC compliance to be as painless as possible.  Long gone are the days of throwing together a System Security Plan (SSP) a couple of Plan of Action and Milestone (PoAM)s and calling it a day.  It is our strong belief that CMMC will require more than just adherence to particular security controls, an SSP, and enough PoAMs to make the auditors happy.  After seeing the concerted effort to implement RMF throughout the entire organization, pushing that process down the chain is almost certain.

What do I mean by that?

The Risk Management Framework places heavy importance on ensuring that not only controls are implemented but your daily operations, the very fabric of how you run your organization, live and breathe security.  Marry that with the industry-accepted thought that NIST is aligning itself closer to industry norms of ISO 27001, GDPR, etc, and there are a few items that organizations wishing to win contracts must be made aware of.

Risk Assessments take center stage

Within most frameworks, one of the main starting points is a risk assessment.  This helps define the major deficiencies of the organization as compared to the standard.  Not only that but, a Cybriant risk assessment allows an organization to understand its security more holistically.   Being compliant does not make you secure just as being secure does not make you compliant.  As such, a Cybriant risk assessment addresses both issues.

Process Alignment

That sounds painful.  And it will be.  What we believe will also be a major component of the forthcoming CMMC is the importance the organization places on security and privacy as everyday business.  Based on our experience, a few questions come to mind.

  • Does your change management process include privacy and security concerns as a prerequisite for a change request?
  • Is management made aware of the state of security within the organization regularly?
  • Do you test and update your business continuity and disaster recovery plans after every change that would affect their effectiveness?
  • Do you routinely test audit controls?

Technology Advancement

While we believe process and people are the most important areas to focus on in most organizations, we cannot eliminate technology.  Anti-Virus is a dinosaur and signature-based Intrusion Detection Systems are going the way of the dodo.

Only worrying about whether technology is compliant is asking for trouble.  Signature-based technologies are compliant with most frameworks out there but, do they make you secure?  No, not really.  Being compliant and breached is not preferable to being compliant and relatively secure.  As we all know, if someone wants your data bad enough, they’re going to get it.  Why not use the latest technology to ensure they need very deep pockets before being able to get there?

Conclusion

No one knows what’s coming in the final CMMC but, we do have some indicators from insiders and what has been happening in the industry.  Cybriant highly recommends each organization spend a bit of time ensuring you are truly compliant with existing regulations first.  Then move on to what is expected.  After all, if you prepare for what we believe to be a privacy-first mentality moving forward and it fails to come to fruition, are you worse off?

About Cybriant

Cybriant is an award-winning cybersecurity service provider. We provide 24/7 continuous threat detection with remediation, risk assessments, and more. We make enterprise-grade cybersecurity services accessible to the mid-market and beyond.

References

NIST 800-53 v5 IPD – https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf

How a Cyber Security Maturity Model Protects Your Business

 

Start with a Risk Assessment

Learn More
6 Considerations for Your Next Security Assessment Vendor

6 Considerations for Your Next Security Assessment Vendor

by | Sep 7, 2018

Information security assessments are a necessity in today’s cyber-insecure world. Be sure to consider these 6 things when you select a security assessment vendor. 

Risk assessments (often referred to as security assessments) are a critical part of any compliance program.  More often than not, these risk assessments are required to be performed by an external party.

Hiring a firm to perform a risk/security assessment can be a daunting task.  With little to go on we often fall back on the old standbys of contracting a vendor: reputation, size, certifications, etc, etc.  And often that results in poor performance or obvious cookie-cutter results.  How then should we approach the task of ensuring we get value from our security assessment vendor?

After years of performing risk/security assessments and gap analyses for various companies with different vendors, I’ve noticed some themes and want to share six items to look for when selecting a vendor.

Fortunately, these are items that can be teased out in negotiation long before signing the contract.

6 Factors to Look for in a Security Assessment Vendor:

1. They consider People, Processes, and Technology

This one seems like it should be obvious.  Isn’t that what a security assessment vendor should be doing?  In theory, yes. However, as you have probably experienced that is not the case most of the time.

Why?

Human nature. Believe it or not, auditors are human too, and with that comes comfort zones, preferences, dislikes, and biases.  If you have an auditor who came up through the ranks as an accountant or another non-technical analytical personnel, you’ll have someone very comfortable with the processes of security but may not understand the nuances of people or the technology supporting the business.

The same can be said for a highly technical individual with no people skills or the adamant extrovert who crammed well enough on the technical side to pass the PCI QSA test by whiskers.

A good security assessment vendor will have the processes and procedures in place to ensure that; one, only well-balanced individuals are selected to be auditors, and two, even treatment is given to all aspects of security.  Just because an auditor is more comfortable in one area than another doesn’t give them leeway to abandon other areas.

2. Spreadsheet mania

This one is a bit counter-intuitive. Spreadsheets and auditors are like mac and cheese, they just go together.

However, let me ask you one thing.  Have you ever had an auditor that you felt truly understood what you did and how you did it?  I haven’t. Most of the time they sit across a table with a laptop open entering their responses into a spreadsheet like an automaton.

Sure they’ll ask some questions to get a better understanding, but only enough to answer what the spreadsheet wants to know.  Spreadsheets are great for identifying risks in technology or gaps in processes, but what about people?

Whatever happened to the art of conversation, I ask? 

Here at Cybriant, and any other good security assessment vendor, all the technicalities of the spreadsheets can be asked beforehand, or after.  What we’re there to do is understand your risks and that includes what and how your people perform their daily duties.  I have story after story of finding major risks to an organization through conversation that a spreadsheet approach would have never caught.

Let me give you a great ‘for instance’. 

I was performing a security assessment for a college and knew of the locked, secured, shred bins as well as the policies dictating their use.

However, after conversing with a funding representative I had to ask,

“So do you use the shred bin upstairs?”

“Of course I do!” was the response.

Based on other answers I probed some more; “well, I put the credit card information in this cardboard box beside my desk when I’m done with them and once a week I dump the paper in the shred bin”.

Need I say more?  When considering a vendor try to have a conversation with the auditor who will be assigned to your account.  Do they ask good questions?  Are they personable?

Related: Security Benefits of Identity and Access Management

3. They talk to more than just the nerds.

I wonder if you caught something odd about the story above, other than the blaring PCI violation.  As part of a security assessment, we were speaking to a funding representative, not a technical resource.

While technical resources are an absolute must when interviews are concerned, so are the rank and file.  Processes, policies, guidelines, standards, security controls, and technology are all good and well, but users have an uncanny ability to destroy all our good work without even trying sometimes.

As such your assessor must speak with others in your organization. Often external assessors are brought in to verify what the technical staff or leadership already suspects.  However, because of our insistence on interviewing non-technical personnel, we have found countless unknown security risks.

When assessing your potential vendor be sure to ask who all are considered for interview candidates.  If it’s just technical staff and minimal leadership, back away slowly.

4. They see the big picture

Very similar to the spreadsheet item, there is one item that seems to elude a vast majority of assessment firms, big-picture thinking.

After performing dozens of security assessments I have realized that most findings can be distilled into what we call Cybriant: Risk Themes. These are overarching risks that are not part of any framework but contribute to the overall security profile.

Examples of Cybriant: Risk Themes are a company culture that ignores security or lack of proper network design which exposes several risks.  While our assessments do include specific risks we also include any Cybriant: Risk Themes to help guide the organization towards the most efficient method of addressing the outlined risks.

Ask to see a sanitized assessment, do they address risk themes?

5. They give a roadmap to success

A good security assessor understands technology to the point that they can provide a roadmap that addresses the most critical findings first and how to fix them. This is critical to a successful implementation of remediating security risks.

Tell me if this sounds familiar.  A security assessment vendor performs a security assessment and you receive a PDF containing page after page of faults with your environment, and that’s it.  No recommendations on how to remediate, no path towards completion, and no way of knowing which ones pose the highest risk to your organization.

When choosing a security assessment vendor they must consider what technology you have in place and the most efficient path towards remediating the identified risks.

However, they can only do that if . . . . .

6. They understand technology

In previous points, it may have seemed as if I were discounting technical knowledge.  Let me squash that rumor now.

A disturbing trend in the security assessment world is the tacking on of technology auditing to other fields such as accounting.

I like my CPA and trust them with my taxes, but I wouldn’t want them to pass judgment on my BGP network.  Just because you can sit in a CISSP boot camp and memorize enough to pass the test doesn’t mean you understand the nuances of a system or network design.

This trend is resulting in strict adherence to spreadsheets above any extenuating circumstances and discounting of any client explanation.  That in turn results in frustrated and dissatisfied clients.

Above all, an assessor needs to understand technology well enough to understand how your organization uses said technology and any potential downfalls therein.  When determining which security assessment vendor to select be sure to have your technical talent probe the assessor for technical knowledge.

Some of the brightest most capable employees and coworkers I have ever had the privilege to work with do not have college degrees or certifications; however, by what metric do we normally measure a potential employee?  The reason we do this is that it is very difficult to assess whether a potential candidate has the “right stuff” so we fall back on the defacto standard.

The same can be said for how most security professionals choose a security assessment vendor.

Hopefully, I have given you the tools to look past the standard fodder of evaluating security vendors and equip you to ask intelligent questions and look for signs that you have found the diamond in the rough.

cybersecurity checklist

 

Top Cyber Security Testing Tools

 

Jason Hill

Jason Hill

Director of Strategic Services

Jason is an accomplished Infosec Speaker, AlienVault certified instructor and engineer, Risk Assessor, Security Consultant, and Security Trainer.

 

Learn More About Our Assessments

Click Here
People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

by | Jun 21, 2018

People, Process, and Technology is the cornerstone of ITIL, but can it also be used to ensure a proper cybersecurity foundation? The answer may surprise you!

Let’s just get this out of the way. You are not secure. There I said it.

Let me qualify that statement: when I say you are not secure what I mean is that regardless of the money, talent, resources, or luck your organization possesses, your organization (or any other) cannot consider itself completely impervious to outside aggressors. Just like a Major in boot camp, let me tear your assumptions down for a moment so I can build them back up.

According to Gemalto, 82 records were compromised every second in 2017. It is widely accepted that the nation-state failure rate is as near to nothing to make no difference. There are spear phishing kits available to allow anyone, even your mom, to launch a targeted attack against you. You have to be right every time; a hacker only has to be right once. A bird in the hand . . . . . I could go on, but I think you get the point.

“But,” you say “I just bought something with ‘NEXT-GEN’ in the product description. That’s got to make me secure!” No, it won’t. Nothing short of throwing all copies of your secure data into a volcano will make your data completely secure.

 

people process technology

 

What we must strive for, what we must get up every morning and make it our mission to accomplish, is the process. A far too common mistake is that once we place security controls around our data we believe the job is done. Once we buy and install that tool, outsource that task, or hire that consultant firm we are not done. Let’s look at the tried and true foundation of People, Process, Technology and see how that fits into your cybersecurity plan – we are going to switch it up and discuss process last.

According to ITIL News, using People, Process, and Technology for a successful implementation is not only good old-fashioned common sense but also like a 3-legged stool. The stool analogy is used because any leg that is too short or too long will cause an imbalance.

People, Process, Technology

People

Here’s one thing everyone in security knows: People like clicking on all the links! Hackers know this, even that rich Prince from Nigeria knows this! In Jim Collins book, Good to Great, he discusses how the leader of your organization is a like a bus driver and the employees are the bus riders.

You are a bus driver. The bus, your company, is at a standstill, and it’s your job to get it going. You have to decide where you’re going, how you’re going to get there, and who’s going with you.

Most people assume that great bus drivers (read: business leaders) immediately start the journey by announcing to the people on the bus where they’re going—by setting a new direction or by articulating a fresh corporate vision.

In fact, leaders of companies that go from good to great start not with “where” but with “who.” They start by getting the right people on the bus, the wrong people off the bus, and the right people in the right seats. And they stick with that discipline—first the people, then the direction—no matter how dire the circumstances.

While this may seem like a stretch in the cybersecurity world, the analogy holds true in the sense that everyone on board the bus must be on the same mission. We don’t want to let anyone (cybercriminals) on the bus or let any corporate secret fly out the bus windows.

Train your people and make sure policies are understood from the top down.

Technology

If that “next-gen” tool were able to keep you secure without your ability to understand and effectively use it, why isn’t everyone buying it and not the others? Because no tool by itself can effectively secure your data. You must be knowledgeable of what the tool is telling you, how to effectively deploy it, and how to customize it to your environment. If you don’t take the time to do these things you might as well have dug a hole and thrown the money in, it’s the same thing. Too many times I have seen a very expensive product simply create heat. The security product was implemented, but time was not dedicated to truly use the product. Now it’s ignored.

On the other hand, you could outsource the task of doing all that.….

Great! You’ve contracted an MSSP to watch your security for you. Job’s a good’n. Nope. I’ve trained many, many MSSPs, probably near fifty plus. I’ve been instrumental in starting two successful MSSPs. This experience has taught me several things of which one is critically important to this conversation.

It can be summed up by a question: How do you know they provide value?

Nifty charts? Awesome. Wizbang product suite? Sweet! Suites that cost more than your first car? Shiny. However, all of that is for naught if you have not educated yourself in the mechanics of what they provide. Most people outsource what they are not good at, wouldn’t a better idea be to outsource what you are good at? The more you know about the topic the less you must worry about whether that vendor is doing a good job. If you don’t stay current, educate yourself on cybersecurity and constantly engage your vendor, what value do they really bring?

Process

people process technologyIt is said wisdom is the appropriate application of knowledge. You may have learned many things about cybersecurity, but if you can’t effectively use that knowledge in everyday life what use is it? This is where everything we’ve discussed above fits into “the framework”. I’ve described what a framework is and how to pick one in other blogs.

With a framework, we can take each new product; align it with our goals, test the product, and verify our management of the product is appropriate. With each outsourced task, we can quickly and easily see if the value exists by the iterative processes inherent in frameworks. With each consultant, we can direct and manage the work and relationship using the process of satisfying the framework.

Cybersecurity is a process. It is not a rush to prepare for a single point in time audit and relaxing until the next time. By embracing that iterative steps, incremental progress is the proper way to secure your environment, you inherently become secure.

Well, at least until George clicks on that link again.