In an ever increasingly interconnected world, we reap the benefits of technology and auto­mation. However, we are also exposed to ever greater threats of cyber­attacks and cybercrime. I firmly believe that Cyber Security has become the core necessity to run the businesses rather than a complementary function in an organization.

While many organizations still see Cyber Security as a Cost to the compa­ny, there are very few, who see this as an investment, and can foresee value in it. The whole idea of looking Security as an investment has had a very posi­tive impact on fostering a strong secu­rity culture within an organization.

Leadership should follow a multi layered approach when it comes to de­vising Cyber Security strategies, and the organization’s overall direction to cybersecurity. I will pen down ques­tions on areas we should assess our Organization’s Secu­rity posture: -

Security Governance and Policy: 

• Assuming the organization has Information Security Policy and Procedures, however is the implementation is appropriately measured? Is the policy reviewed and up­dated as per the changing context of the organization?

• Do all stakeholders understand Cyber Security Risks and are appropriately sensitized? It has been found that most people do not understand cyber risks to the busi­ness.

• Does the organization have a time bound Secu­rity Program Implementation? Does it al­locate appropriate resources, and tracks the progress, while making efforts to fill crucial operational gaps from time to time?

Secure by Design: -

• Does the enterprise have a well de­fined Security Architecture, used by its IT function to build and integrate various technology pieces?

• Does the organization understand its mission critical assets aka crown jewels and has identified the controls to protect them at all costs?

• Does the organization fol­lowa well-defined set of secu­rity best practices in times of mergers or Spin off?

Security Assurance: -

• Is Risk and Compliance are actually measured and followed? Is the Department/function handling Risk and Compliance is given actual Powers or is just Titular?

• Does the organization consider Information Privacy and Protection as a security requirements or they just to comply with local regulations?

• Does the organization audit its IT Infrastructure pe­riodically with Security Specialists/Red Teams, and en­sures remediation is done for the gaps found?

Vulnerability Management: -

• Does the organization have a centralized Vulnerability Advisory function, which advises its stakeholders on the zero day vulnerabilities?

• Does the organization perform periodic scans on its systems to assess the vulnerabilities? If yes, is remediation done appropriately?

Incident Response: -

• Assuming now that the attacker has breached our sys­tems, what are response measures we take to come to nor­malcy in least time frame? Are drills performed to repli­cate the actual incidents, and measure its effectiveness?

• Does the organization have capabilities for near real time response to cyberattacks, in terms of Response Brokering, forensics, and breach remediation?

Security Analytics: -

This area specifically assists in zero-day Intrusion Detection.

• Does the organization have capabilities to his­torically mine datasets, and come up with new patterns used by attackers, hunt down malicious activities not being reported by monitoring tools?

The above areas talk about both Proac­tive and Reactive Capabilities, which the organization should focus on building strategically. The maturity depends on the level of implementa­tion of specific areas and the organization’s con­text. It is also important to have defined Perfor­mance indicators(KPIs), and organizations should course correct from time to time based on KPI evaluation results.