Lean security 101: 3 tips for building your framework
Cobalt, Lazarus, MageCart, Evil, Revil — cybercrime syndicates spring up so fast it’s hard to keep track. Until they infiltrate your system. But you know what’s even more overwhelming than rampant cybercrime?
Building your organization’s security framework.
CIS, NIST, PCI DSS, HIPAA, HITrust, and the list goes on. Even if you had the resources to implement every relevant industry standard and control to a tee, you still couldn’t keep your company from getting caught up in the next SolarWinds. Because textbook security and check-the-box compliance won’t cut it. You’ve got to be strategic (especially when manpower is limited!). And lean.
Learn the ropes now.
3 pro tips for building your lean security framework
Without a framework in place, you’re either navigating the cyber-risk universe with blinders on — or buried so deep in false positives you couldn’t spot a complex attack until it’s already laterally advancing.
But why build your security framework from scratch, when you could steal a page (or 3!) from other pros in the space? Get quick tips from their free guide for bootstrapped IT security teams below.
Pro tip 1: Customize industry standards to your needs
Your first step to building your lean security framework? Don’t reinvent the wheel!
Customize industry frameworks and standards to the unique needs of your organization. For example, lay your foundation with the Center for Internet Security, CIS,’ Critical Security Controls, or the National Institute of Standards and Technology, NIST’s, Cyber Security Framework.
Next, start laying your security bricks with industry-specific standards: the Payment Card Industry, PCI’s, Data Security Standard (DSS) if you accept payment for goods or services with credit cards; or the Health Insurance Portability and Accountability Act (HIPAA) if you’re in healthcare; and so on.
Pro tip 2: Get comfortable with risk
Controls. You know you need them, but some controls are more valuable to your security posture than others. Why? Because some simply aren’t worth the expense.
For example, storing your company’s personal data in the cloud is risky. What’s the alternative? Housing it on-premises? That’s expensive and comes with its own set of risks. So you choose to accept the risk of using the cloud, right?
You’ll want to weigh the value of implementing the various controls across your four key areas of risk management: threat; technology and integration; cost; and third-party vendors.
Tip 3: Embrace emerging trends and technologies
Chances are you’ve already moved to the cloud like most scaling companies because it’s cost-effective. So don’t limit yourself to industry frameworks and standards designed only for companies hosting their entire tech stacks on-premises.
Use the Cloud Security Alliance’s Cloud Controls Matrix and Shared Responsibility Model. Jump on the Zero-Trust bandwagon. Integrate your tech stack with an XDR. Outsource threat monitoring and response to an MSP, MSSP, or MDR. Transfer some of your risk to a cloud insurance provider.
The bottom line
You’ve got more than enough options for building a risk-tight security framework. The trick is picking and choosing wisely.