Getting Started: How to Build a Successful Cybersecurity Program from the Ground Up

Starting a cybersecurity program can be confusing, particularly in organizations with limited security staff. There is no shortage of areas to address and no shortage of vendors hoping to convince teams to buy their latest tools. In midsize organizations, it is particularly important to be efficient.

Every team can use a few tips to avoid common issues. Our goal in this blog is to help IT and security professionals understand the fundamentals of a successful cybersecurity program. While not every organization will prioritize the same activities, there are some required steps that will help teams define goals, prioritize risks, and communicate to senior management the rationale behind your choices.

Gain Executive Support

Cybersecurity programs require investments in time, personnel, and budget. While most executive teams are keenly aware of the importance of a good security posture, ensuring that backing prior to starting a program is critical. A good way to start is to lay out the initial few steps as detailed in this blog, including what you intend to learn from those activities.

Start by Understanding Your Current Posture

The first step in any program is to understand your current posture both to identify weaknesses and to avoid overspending on areas that meet your organization’s appetite for risk. Most organizations have some level of endpoint security like antivirus software, network segmentation and firewalls, and identity and access management solutions. Having an unbiased and evidence-based understanding of your overall security posture will inform your program choices and provide a baseline against which you can measure progress.

Are Your Passwords Available “in the Wild”? 

Criminal hackers are rational actors and seek simple attack vectors. Stolen employee credentials can be easily acquired on the dark web and allow criminals to simply log in instead of breaking into an organization’s systems and applications. Once inside, attackers can access all the same resources as the legitimate users. Compromised password scanning continuously monitors dark web resources to identify credentials for your organization, allowing teams to force password resets and examine account activity.

Goal: Identify and remediate easily exploited attack vectors and educate users on the importance of protecting their credentials.

Standardized Risk Assessments Provide the Big Picture

A risk assessment can be conducted by in-house personnel using an industry standard checklist such as ISO 27001, Center for Internet Security (CIS) Critical Security Controls, or the NIST Cybersecurity Framework[AR1] . Alternatively, you can hire outside resources to conduct an assessment. The advantage of the latter is that a good assessment report will prioritize the results and provide remediation guidance for each deficiency.

Goal: Understand the highest priority issues, then build a roadmap for addressing those requiring remediation, while ensuring residual risk is understood within the organization.

Vulnerability Scans Identify Easily Exploitable Issues

Most IT teams are staffed to keep systems running smoothly and users productive. Each year, however, thousands of new vulnerabilities are disclosed in applications and components, including the printers, endpoints, servers, and devices in your network. Once disclosed, criminals begin trying to exploit immediately, before overworked teams can react and patch systems. According to a report by Rapid7, the criminals are often successful, with 56% of those vulnerabilities being exploited within seven days of public disclosure.

Vulnerability scanning identifies unpatched and out of date software and components in your environment and provides a score for severity and urgency. A scan can be run internally with a licensed toolset or performed by a vendor as a service. Remember that new vulnerabilities are disclosed daily, so building this task into your security cadence is necessary. Don’t forget to include website and application scanning to secure internally built applications and websites, including marketing websites and landing pages maintained and updated outside of IT’s control.

Goal: Ensure early and ongoing visibility to the precise attack vectors often favored by cyber criminals.

Penetration Tests Simulate Malicious Attacks

The final step in assessing your security posture is penetration testing (“pen tests”), where a specially trained “ethical hacker” will attempt to infiltrate your systems and applications in a non-destructive way. Unlike vulnerability scanning, ethical hackers use a variety proprietary tools and techniques to identify and exploit weaknesses in your defenses, elevate their privileges, and access your most critical systems and data. Teams can prioritize external pen tests that target publicly facing assets, internal pen tests simulating a compromised employee account, and web or mobile application pen tests.

Goal: Get evidence of properly working defenses and/or exploitable weaknesses in applications and systems, along with remediation guidance.

How Defendify Can Help

Defendify helps organizations start and mature cybersecurity initiatives every day. By starting with an evidence-based assessment of an organization’s current strengths and weaknesses, teams can prioritize actions and optimize security spend and efforts. Repeating assessments periodically and routinely then allows teams to track and report on progress against the baseline.

Ready to see Defendify in action? Schedule time to connect with a Defendify Cybersecurity Advisor.