It’s no surprise that security ranked as the top cloud challenge for technical professionals representing organizations of all sizes in this 2020 Q4 survey. The abundance of solutions and strategies trying to get your attention and capture your security budget can make it challenging to figure out a right-sized security strategy for your organization.
Get to know the world your organization is operating in.
The most efficient way to address the security strategy challenge successfully is to take a holistic approach to your planning. Identify what your security program is protecting and what it needs to defend against. Use your big-picture understanding of how your organization’s parts connect to predict, prioritize, and defend against the risks your organization faces.
Understand your organization’s parts.
Every organization is unique, including yours. However, most organizations have similar groups of parts that give technology leaders a framework to which they align their own organizations. These parts are valuable assets and threats, and the functional systems that provide a barrier between the two: infrastructure, supply chain, and employees.
The parts you’re defending.
Valuable assets: the information and systems you need to defend.
Examples of valuable assets include sensitive data, customer information, and intellectual property. Valuable assets are the prize malicious hackers seek when they infiltrate your systems. Losing control over these assets could be detrimental to your business, so it is essential to protect your organization’s valuable assets to maintain a good security posture.
The parts you’re defending against.
Threat: An actor or agent that puts your valuable assets in danger.
Malicious hackers use countless variations of software and social engineering schemes to gain control of valuable data and systems they can use as leverage to get what they need. They use this access to spy on or extort organizations.
The attack surfaces between your threats and your valuable assets.
Infrastructure: the various software, hardware, cloud assets, and network components used to run an organization.
Infrastructure is the foundation of your business. Examples of infrastructure include devices, servers, and code. You have control over your infrastructure strategy and you can communicate best practices to keep threat actors from accessing it through strategic policies and management.
Employees: the people authorized to interact with your infrastructure.
Employees bring your organization to life through their ideas and communication. Their actions are essential to the success of your organization, but they can also provide a conduit between threats and your valuable assets. Understand the actions they need to do to complete their work so you can strengthen your defense of this attack surface with the right training and security culture. Connect your employees to your security mission to empower them to make smart security decisions.
Supply chain: the vendors that connect, have access to, or provide parts of your infrastructure.
Your supply chain brings outside power to your organization, which can be essential to grow or provide services for your customers. Collaboration with other organizations creates business opportunities impossible to achieve alone, but not without added risks from attack surfaces that are out of your control. Take care to vet vendors based on their security culture. Provide outside people and systems only the minimum access to your infrastructure needed to complete their function. Regularly review those access rights and your need for each outside vendor as your service evolves.
Begin your security program planning by mapping the parts of your organization.
Create a map that outlines how all of your organization’s parts intersect.
Identify and inventory the technology, culture (processes), and people that make up your organization. Map how the parts of your organization are connected and work together to gain a solid understanding of the access points that threat actors may attempt to infiltrate.
Refer to your organizational map while planning and executing your defense strategies.
Use your map to ideate and communicate your security program strategy with other employees at your organization to get their buy-in. This big-picture structure helps guide your decisions about which tools and practices you need to protect your organization’s parts. Determine how to allocate your available defensive resources throughout your security program based on your understanding of how those systems integrate and which threats could impact them most.
Congratulations, you’ve just completed the first step in building your threat model! That model is another essential security practice and serves as a simulation of all of your threats and how you would defend against them.
Learn how to evaluate your system’s weaknesses across each attack surface in ZeroWall’s free whitepaper Think Like a Hacker. Defend Like a CISO.
Consistently reevaluate your organizational map and keep it up-to-date as your organization evolves.
Make security requirements part of your process and culture. Revisit and adapt your security program as your security challenge evolves. Picking the right program doesn’t have to be complicated. Start with implementing defense against your highest priority risks, and continue to layer on additional security practices as you grow.
Generate an expert threat model in less time, with confidence. Receive a free ZeroWall Security Assessment and Threat Model.
ZeroWall’s tools can help you assess your information security processes to identify your next steps to optimize your program.
Taking the ZeroWall Assessment™ is the fastest way to get an expert evaluation of your security profile and risks.
ZeroWall’s Threat Model Engine™ works its magic and delivers you a ZeroWall Threat Model and Insights Report that outlines:
- The gaps in your security program
- How your current investments are addressing risks
- How you compare to similarly-sized organizations in your industry
- Right-sized recommendations catered to your unique organization
Get the information you need to confidently build your organization’s right-sized program. Get started >