Corporate security programs can be difficult to wrap your head around. Many aspects, both administrative and technological, support the overall security of an organization. So, in this article, I want to highlight the key components of an effective information security program to provide an understanding of the various moving parts that protect a company’s people, processes, technology and data.
11 Components of an Effective Cybersecurity Program
- Risk appetite statement.
- Corporate security policies.
- Adoption of a security framework.
- Asset management.
- Identity and access management.
- Security awareness program.
- Endpoint protection.
- Email security.
- Logging and monitoring/SIEM.
- Network security.
- Vulnerability management.
Administrative Security Controls
Administrative security controls refer to policies, processes and procedures that support the enforcement of security within an organization. Although deploying security technology like antivirus software and firewalls might seem like one of the first steps in deploying a security program, you need to have information security policies and procedures in place first to help enforce requirements and guide the development of the program.
Various administrative controls fall into this category, but some of the essential ones include a risk appetite statement, corporate security policies, the adoption of a security framework, asset management, identity and access management, and a security awareness program.
Risk Appetite Statement
A risk appetite statement describes the level of risk the organization is comfortable with. This document also lays out the security program’s role in keeping the risk at an acceptable level to guide the development of new security policies, processes and procedures.
Corporate Security Policies
An organization can have dozens of policies related to information security and cyber risk. So, this guide isn’t an all-encompassing list, but below are some common security policies that may exist in a corporate environment.
- Internet Use — This policy describes appropriate internet browsing on corporate-owned devices.
- Corporate Device Use — This document outlines the acceptable use of corporate assets like mobile phones, tablets and laptops.
- Data Classification — This policy is meant to help employees understand the types of data they may come across and how each classification level should be handled.
- Data Privacy and Handling — This policy describes how data is stored and processed and standardizes the proper use and handling of data based on its classification level.
Adoption of a Security Framework
Another key component of a security program is the framework an organization chooses to adopt. Today, various security frameworks exist to help organizations develop effective security programs, like NIST (National Institute of Standards and Technology), ISO (International Organization for Standardization), and CIS (Center for Internet Security).
Generally, in the early stages of developing a security program, the executive team and security leadership will choose a framework to serve as a building block for it. Although this isn’t a hard requirement, not adopting a framework not only results in a security team having to reinvent the wheel but can also result in an unstructured approach to the program’s development and, in the long term, an ineffective program. These frameworks provide all the guidance necessary to develop a comprehensive and successful security program while also ensuring the company doesn’t miss any steps.
Asset management is a crucial administrative control, especially if an organization wants to have effective and compliant technical security implementation. This concept refers to the lifecycle of corporate assets — laptops, mobile devices and network and server infrastructure — from deployment to decommissioning.
As the saying goes, “You can’t secure what you don’t know exists.” Asset management ensures an IT department and security team has an understanding of all devices in the organization and a process for identifying “rogue devices” that were deployed without going through the proper process.
An accurate and continually updated asset inventory is a foundational component of a successful and effective security program, so investing time, resources, and oftentimes money in developing a strong asset management program is important.
Identity and Access Management
The idea that “you can’t secure what you don’t know exists” holds true for user accounts as well. An identity and access management program is important to ensure a process exists to accurately provision and deprovision accounts and modify permissions when changes in employment status or job role occur. This function is crucial to limit the risk that sources from user accounts and ensure adherence to the principle of least privilege. When a user is hired, a process must exist between the HR and IT departments to trigger the deployment of a corporate computer and user account, along with the level of network access required for the job role.
Similarly, if that user is promoted, moves to a different role, or leaves the company, the identity and access management processes must account for those changes and act accordingly. If they moved to a new team, their level of access should be adjusted to revoke permissions that are no longer necessary and grant new permissions where required. If the employee is terminated or leaves, the identity and access management team must disable their account and terminate all active sessions immediately to mitigate the risk of things like malicious use of their access or data exfiltration.
Security Awareness Program
Finally, security awareness education and training is another key part of an effective security program because employees are typically the last line of defense if technical security controls fail in blocking a malicious email, website or file download. Ensuring the security team is doing its part to continually remind employees of best practices and common types of scams is crucial.
Although organizations use software to perform security training and simulations, the policy that undergirds the security education program is important to ensure the security team managing the end-user training is doing so in accordance with the policy. As an example, a policy might state a company will perform monthly phishing simulations (fake phishing scams to test employees’ responses to scam emails), quarterly security awareness campaigns, and semi-annual security awareness training. Having a policy that sets these requirements enables a security team to use software to develop a technical security training program that aligns with the organization’s expectations.
Technical Security Controls
As you might’ve expected, technical security controls refer to technical implementations on corporate assets that draw on technology to provide security. Some common technical controls are secure OS (operating system) configurations, otherwise known as OS hardening, antivirus solutions and firewalls.
In addition to software- or configuration-based controls, some technical controls are more conceptual or procedural. Things like Zero Trust Network Access (ZTNA), Network Access Control (NAC), vulnerability management, and logging and monitoring all rely on some level of technical implementation but are overarching concepts that require multiple processes and procedures, as well as policies, to support their successful development and implementation.
ZTNA refers to solutions that enable an organization to control network access through clearly defined policies based on employee attributes, like role or department. Similarly, NAC is the process of restricting network access from unauthorized devices and is typically used on guest or Wi-Fi networks to control the types of devices that are allowed to connect to the network and, when they do, the level of access they have. Although these concepts differ, their goal is the same: limiting network access so that only what’s required is allowed for each user.
Endpoint protection is a term that encompasses all technical security controls used to protect an endpoint, also known as a workstation or server. Endpoint protection typically includes an antivirus product, nowadays a next-gen one that includes EDR (endpoint detection and response) capabilities, OS security/hardening, a firewall, internet security, and vulnerability scanning.
Together, these security tools provide technical security via secure configurations, filtering of a user’s internet activities, the behavior on their device, and automatic blocking of known malicious behavior or activity like the running of a command or download of a file linked to malware.
Email security involves the implementation of an email gateway that provides filtering, analysis, and blocking of suspicious or malicious emails. I’m sure we’ve all seen our fair share of email scams, and corporate email security is meant to prevent those scam emails from making it to the end-users’ email inboxes. Email security tools generally inspect every inbound email prior to its delivery, checking for known signatures of malicious emails like known bad senders, phishing links, or file hashes, and common indicators that the email isn’t legitimate, like misspelled words or a sense of urgency in the text.
Modern email security solutions also provide more extensive capabilities like post-delivery quarantine in the event a malicious email is detected to have been delivered, and “Report Phish” capabilities that enable a user to report an email they received so it can be reevaluated by the email security tool.
Logging and Monitoring – SIEM
When it comes to detection and response activities, having sufficient logging and monitoring in place is imperative. In addition to having these capabilities in place, having them centrally located in what’s called a SIEM, or Security Information and Event Management, is important. SIEM tools enable an organization to send logs from various sources (typically active directory logs, endpoint security tools, and firewalls among others) to provide the security team with a single location to perform searches and generate alerts.
Modern SIEM tools have extended their capabilities even further to provide out-of-the-box paybooks for automation and common watchlists to help security teams detect known bad behavior and activities and perform actions automatically when certain conditions are true. For example, a team may decide to enable a playbook that automatically quarantines a device if confirmed malicious activity has occurred on it. This speeds up the response and quickly contains a potential threat to prevent lateral movement and infection of other systems.
Technical controls involved in network security are those that protect the network through filtering of traffic traversing both the internal network and coming in or going out to the internet. The most common network security control is a firewall, which performs inspection of the packets passing through to ensure they aren’t coming from or going to a malicious destination. Next-gen firewalls provide even more advanced capabilities like inspection that can detect malware and data exfiltration.
In addition to firewalls, various other network security tools contribute to an organization's implementation of concepts like ZTNA and NAC. These tools enable network security teams to adhere to the principle of least privilege by providing access to only the network resources an employee, contractor or guest needs to do their job rather than a user being able to reach any resource on the network.
Last but not least, vulnerability management is essential because of the continually advancing threat landscape. Vulnerability management refers to the processes and procedures that work together to identify, assess and remediate vulnerabilities, or weaknesses, in systems and corporate infrastructure. If we think back to asset management, having an accurate asset inventory comes into play here as it’s required in order to ensure a security team is performing vulnerability assessments against all corporate devices.
Vulnerability tools allow a security team to have a single place to go to view the vulnerabilities that exist within the corporate environment and drill down into specific asset groups like servers or workstations, and even more specifically, review the vulnerabilities discovered on specific systems.
In addition to continuous scanning for vulnerabilities, the security team must work collaboratively across IT and business units to prioritize and remediate findings. This process is also referred to as patch management, which defines how an organization will patch or remediate the vulnerabilities discovered on their systems. Typically, a policy states the acceptable time to remediate critical-, high-, medium- and low-severity vulnerabilities, where the more critical the finding, the quicker it should be mitigated.
Develop and Maintain an Effective Security Program
Developing and implementing an information security program is no easy or quick feat. It takes planning, resources, and plenty of time. And once a company implements the components covered in this article, it must make a continuous effort to advance the maturity of the program and its capabilities and ensure it stays current with security best practices and emerging threats.
Information security is a complex problem with no single solution. The culmination of administrative and technical controls, along with physical security must be used to create unique security programs from one company to another that effectively protect an organization, and its people, processes and technology.