Home Security Executive's Cybersecurity Program Handbook

Executive's Cybersecurity Program Handbook

By Jason Brown
ai-assist-svg-icon Book + AI Assistant
eBook + AI Assistant $35.99 $24.99
Print $44.99
Subscription $15.99 $10 p/m for three months
ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription.
ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription. $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime! ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription.
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Along with your eBook purchase, enjoy AI Assistant (beta) access in our online reader for a personalized, interactive reading experience.
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription. ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription. BUY NOW $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime! ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription.
eBook + AI Assistant $35.99 $24.99
Print $44.99
Subscription $15.99 $10 p/m for three months
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Along with your eBook purchase, enjoy AI Assistant (beta) access in our online reader for a personalized, interactive reading experience.
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
  1. Free Chapter
    Chapter 1: The First 90 Days
About this book
Ransomware, phishing, and data breaches are major concerns affecting all organizations as a new cyber threat seems to emerge every day, making it paramount to protect the security of your organization and be prepared for potential cyberattacks. This book will ensure that you can build a reliable cybersecurity framework to keep your organization safe from cyberattacks. This Executive’s Cybersecurity Program Handbook explains the importance of executive buy-in, mission, and vision statement of the main pillars of security program (governance, defence, people and innovation). You’ll explore the different types of cybersecurity frameworks, how they differ from one another, and how to pick the right framework to minimize cyber risk. As you advance, you’ll perform an assessment against the NIST Cybersecurity Framework, which will help you evaluate threats to your organization by identifying both internal and external vulnerabilities. Toward the end, you’ll learn the importance of standard cybersecurity policies, along with concepts of governance, risk, and compliance, and become well-equipped to build an effective incident response team. By the end of this book, you’ll have gained a thorough understanding of how to build your security program from scratch as well as the importance of implementing administrative and technical security controls.
Publication date:
February 2023
Publisher
Packt
Pages
232
ISBN
9781804619230

 

The First 90 Days

Congratulations and welcome to the cybersecurity club! Whether you are just starting off on your cybersecurity career or are a seasoned professional, your first 90 days as the head of security can be tough – yet rewarding. During your first 90 days as the head of security, you will be challenged to learn the business and its processes, build new relationships, and gain an understanding of what is important to the company. You will need to hold meetings with your peers to better understand the technology or security stacks being used at the company.

The ability to develop strong relationships early on in your tenure will pay off in the long run. Your co-workers will get to not only know you by name but also get to know you personally and professionally. This is also your opportunity to do the same. The key is to build good, strong relationships early so you are not only approachable, but people feel comfortable talking to you.

Many in the business world see information security as the department of, "No!" where security trumps everything, from stopping projects to blocking new business processes. Information security departments must take a different stance when it comes to dealing with kids running with scissors. We must engrain ourselves into the business to see how it runs, and that will come through relationship building. In this first chapter, we will begin to look at what steps you should take in the first 90 days as the head of security at your organization.

In this chapter, we’ll be covering the following topics:

  • Getting executive buy-in
  • Budget or no budget?
  • Vision statements
  • Mission statements
  • Program charters
  • The pillars of your cybersecurity program
 

Getting executive buy-in

Building relationships with your peers is a must, and this includes those on the executive team. You want to build the same rapport with your executive team as with your peers, so they too feel comfortable speaking with you. This is also the time to begin discussing their thoughts about what the security program was meant to do and what the original direction was. These discussions do not stop with the executive team; if you are able, have the same discussion with key stakeholders and the board of directors.

Without getting executive buy-in, your program may stall or go nowhere. There are many reasons for this; however, the first step is to determine what the business needs are and how executives see them being achieved. Many professionals want to come in and inflict change in the cybersecurity program right away – I would advocate against this, at least for a little while. The reason is that you must understand what is important to the business. Remember, you have to crawl before you can walk. Information technology and cybersecurity are no different in their approaches when determining the vision you and other executives have of the cybersecurity program.

Cost and budget are also key components of the program, but are not as important as getting executive buy-in. A new head of security or chief information security officer could come in, build out the plan, forecast the budget, utilize several free open source cybersecurity tools, and it could still go nowhere as the executive team has decided to not move forward. It did not stop because of the budget – that was just a component of it. The real issue is that your executive team does not accept the decisions or technology planned for implementation. This is why getting executive buy-in and having conversations regarding the cybersecurity program are so important.

Next, we can begin to build out a budget that makes sense to everyone. Whether it is five dollars or a million dollars, there are plenty of ways to secure the business; however, the direction you want to go in with the program is up to you.

 

Budget or no budget?

A budget will make or break a department. Change my mind! That is a very true statement. Or is it? It is what you do with the budget you are given that will make or break a department. Organizations are hard-pressed to spend money on cybersecurity. Why? Because people think “It has never happened to us yet, so why should we bother?” or “We are too small to be a target.” However, mindsets are beginning to change. Many on the business side see cybersecurity or information technology as a sinkhole – one the business pours money into but never sees anything come of it. It is up to you to sell your ideas, get funding, and spend it accordingly.

Cybersecurity, however, is not something to take lightly or brush off as a second thought. States and the federal government are enacting breach notification laws for public and private sector organizations. Cyber insurance companies are serious, too, as they want to ensure their clients are performing their due diligence in reducing cyber risk across the organization. While not everything requires spending the business’s hard-earned money, certain aspects of cybersecurity do require funding.

Cybersecurity spending is also reaching all-time highs. Between 2021 and 2025, cybersecurity spending is expected to reach $1.75 trillion. According to Steve Morgan, founder of Cybersecurity Ventures, the market was only worth $3.5 billion in 2004 (Braue)[1]. That is a 500% increase (I am terrible at math). The Fog of More is a phrase characterized in cybersecurity as vendors trying to sell you the newest, shiniest blinky green and amber lights. How many of us have purchased new firewalls, only for them to collect dust? Better yet, how many of us have implemented firewalls with allow any/any/any rules? Don’t believe me? Performing a quick search on Shodan provides some disturbing statistics. For instance, there were over 286,000 results for open Telnet ports; VNC, almost 540,000 results; RDP, 582,000. These protocols, when exposed to the internet, increase the risk of your organization being attacked.

Not all vendors are bad; quite a few legitimately want to help. In the end, however, money talks. This is why it makes sense to rephrase “A budget will make or break your department ” to “ it is what you do with the budget that will define the department.” Do not let others fool you. You can churn out a robust security program without major funding.

Organizational technology stacks come in two different flavors, build and buy. While the build camp prefers to utilize as much open source technology and free utilities as possible, the buy camp wants to ensure that not only do they have support from a company, but they also have a single entity to blame if something goes wrong. While some concepts in this book will require a company to purchase some type of IT resource, this book is not centered on CapEx purchases. There are plenty of free, low-cost, or no-cost solutions out there if your team is willing to allocate the resources and time to learn about concepts and learn the skills of the trade.

For instance, begin developing your company’s vision, mission, and program charters. This will set the foundation for your program.

 

Vision statements

The vision of the office of information security is to secure the organization while making security a second thought.

Many organizations tend to throw technology at a problem, but is that the right solution? What is the goal of the company’s information security program? What will make you and your team stand out as a force for delivering top-notch security services? As a security leader, you must first understand where you are and where you want to go. If you do not have an end goal, how will you know how to get there?

A vision statement is a high-level description of how the program strives to achieve success. For instance, the preceding quote is a vision statement that could be used for a security department. It is intended to not only state the purpose of the department but the overall goal. A phrase I like to use for our security program is “Employees already think of cybersecurity as a second thought – I intend to keep it that way.”

Why is that statement important to me and our program? We want our security program to be as robust as possible and protect our systems and data while keeping our users safe. Information security should enable while making it easy for those who are not technically savvy. It should be as transparent as possible without always being in your face. Users should not have to read an entire manual to learn how to do their jobs, which are already tough without adding more layers on top.

The vision statement should depict what is most important to the department or organization. It should not be lengthy―only three sentences or fewer, but make it meaningful. It can be internal or external customer-facing, but make it a way of marketing yourself to others. As the security field is dynamic, a vision statement does not have to remain static and can evolve over time. One could write a vision statement and a few years down the line, decide to change it.

Here’s an example of a vision statement:

The Institute for Information Security & Privacy (IISP) at Georgia Tech is as an international leader in researching, developing, and disseminating technical solutions and policy about cybersecurity and privacy. We assemble strong, innovative, multi-disciplinary teams to address contemporary and future cybersecurity or privacy challenges faced by government, industry and individuals. Our graduates become leaders in government, scientific, industry and entrepreneurial communities.

—Georgia Tech University (https://www.scs.gatech.edu/research/institutes-centers)

There is no right way or wrong way to create a vision statement for your department. With one in place, however, it provides context for the goals and objectives that the department strives to achieve. It also shows that the department takes cybersecurity seriously in the types of services it will provide to its customers.

While vision statements are important for providing context for what the department strives to achieve, mission statements are equally as important. Mission statements depict why the department exists.

 

Mission statements

One may think, “Doesn’t a mission statement belong to the business?” While businesses have a mission statement, departments should have one too. Business-style mission statements articulate the purpose of the business/department or establishes the reason for their existence. Some famous mission statements include the following:

To bring the best user experience to its customers through its innovative hardware, software, and services.

—Apple (https://mission-statement.com/apple/)

To empower every person and every organization on the planet to achieve more.

—Microsoft (https://www.comparably.com/companies/microsoft/mission)

Accelerating the world’s transition to sustainable energy.

—Tesla (https://www.tesla.com/about)

What is your security department’s reason for existing? Is it to protect your organization’s sensitive data? Is it to thwart those who would do harm to your organization? How about securing and protecting the free flow of information across the world? I am sure we all have a back story as to why the newly minted cybersecurity manager or chief information security officer position opened at the company. What were the circumstances around your position being created? These questions do not necessarily have or need to have answers. They are there to help you decide how to construct a mission statement.

Before writing a mission statement, understand the culture and, again, what is important to the business. Write one, or a few, select the ones you like best, and then solicit feedback. If you are lucky and have a few security employees that work with you, get their feedback too or ask them to join in.

Mission statements, much like vision statements, are not long: maybe a sentence or two. However, it must have meaning and be celebrated as the crux of how the department will operate. It should motivate employees to do better and be better. The statement should also cause your customer base (others inside and outside the organization) to want to contact you when something is wrong―or right! On day one, a new employee should know and understand the department’s mission statement.

Mission and vision statements are great in that they highlight the department’s importance and reasons for being a crucial part of the organization. Program charters help bring everything together as they show what a department is responsible for.

 

Program charters

What is your department responsible for? How will you go about setting policies for information technology and the rest of the organization? Does the department have oversight of how things are implemented, configured, and monitored? When establishing governance, the first thing people think of is building roles and responsibility matrices – responsible, accountable, consulted, and informed (RACI) charts, and the like.

While RACI charts, roles, and responsibility matrices tend to provide the who and the what, they do not provide much detail. Program charters are intended to help fill in those gaps. They can be written to provide as little or as much detail as possible to help define what those responsibilities are and their intended purpose. For instance, most information security departments act as advisors for the rest of the information technology department. In this scenario, security has oversight of all aspects of information technology, but security does not implement or configure the IT resource (because of the separation of duties).

Much like policies, standards, and procedures (which we will cover in Chapter 4), a program charter document should have the following sections:

Purpose

What is the purpose of the charter? What is it trying to convey to the reader? Are there specific questions that the charter is trying to answer?

Scope

Charters impact an organization in many ways. They can impact internal and external employees, third-party vendors, contractors, whole departments, or the organization. Who will be impacted when this charter is put into place?

Responsibilities

Much like a RACI chart, what is the security department instructed to do? What is it responsible for? This is where you set the stage for how the department will function. Will it have oversight of many different aspects of information technology and the rest of the organization?

Those responsible for the charter

The charter must have a stakeholder and an executive sponsor to sign off on it. The stakeholder should be the head of the department, whether that is the Chief Security Officer (CSO), Chief Information Security Officer (CISO), director of information security, or manager of information security. These are the individuals who will be making decisions about how they see their cybersecurity department operating. The executive sponsor, whether that is a Chief Information Officer (CIO) or Chief Executive Officer (CEO), must have the authority to sign off on the charter. Once the charter is officially signed off on, it will have the teeth necessary to carry out the charter and any other supporting documentation.

In the previous sections, we have discussed how the security department will achieve success, its importance to the organization, and what it will be responsible for. To build on those concepts, we will take it a step further to discuss initiatives, strategy, and what is important to you as a leader.

 

The pillars of your cybersecurity program

What are the key initiatives for your security program? What is the strategy you will set that will direct the security program over the next 3-5 years? While we will talk more about developing a strategy in the next two chapters, this is where we will set the stage for that vision. First, start off with two to five high-level categories that are important to you and then begin to drill down from there. Each subcategory gets more defined as we drill down. An example of this is found in the following graphic:

Figure 1.1 – Cybersecurity pillars

Figure 1.1 – Cybersecurity pillars

In Figure 1.1, the diagram depicts what could be important for your security program. Major high-level ideas spur off from the main topic: Governance, Defense In Depth, People, and Innovation. From the high-level categories, it begins to narrow down from strategic to tactical. For instance, Innovation drills down to Automation or Transparency and Defense in Depth drills down to Zero Trust, Securing the Edge, and Security Architecture and Operations.

The subcategories begin to drill down into specific concepts or technologies, but do not state which technologies are used. You should not have more than four subcategories from the main topic, but you can have as many or as few as needed to tell the story. This begins the development of the strategic vision you have for your department.

Figure 1.2 – Cybersecurity Defense in Depth pillar

Figure 1.2 – Cybersecurity Defense in Depth pillar

The preceding figure depicts an expanded view of what defense in depth could look like. Starting with the main topic, Defense in Depth, we move toward the categories Zero Trust, Securing the Edge, and Security Architecture and Operations, followed by their respective subcategories.

 

Summary

Your first 90 days as a new manager, director, or CSO can be an exciting yet intimidating time. How will you get a budget for your program? How does executive management see information security? How will you develop a cybersecurity strategy? There are so many questions, yet few initial answers. Many come into the position and begin throwing technology at the problem, drowning in the Fog of More.

Remember, a security program is more than just technology; it also consists of people and processes. The key to getting started during your first 90 days is to understand the business, its processes, and how key stakeholders see the alignment of information technology and security to the business. Begin developing the department’s mission and vision statements and evangelize them throughout. Get others involved when creating these documents to gather their input and see what is important to them too.

As you have learned in this chapter, your first 90 days is also a time for creating new relationships with your coworkers. Relationships matter when it comes to information technology and security – make sure they are a priority. Eventually, you will have to work with colleagues from all different aspects of the business. Coworkers from finance, human resources, manufacturing, and other departments will have to be incorporated into your processes. Business continuity, incident response, and risk management are not information technology problems; they are business problems. As such, personnel from these departments need to be involved too.

We have now set the initial structure for the cybersecurity department, what is important, and why. In the next chapter, we will discuss the importance of a cybersecurity framework and its overall impact on the department and the organization. These two chapters help set the foundation you can begin to build a strategy on moving forward.

 

References

  1. Braue, David. (2021, September 10). Global Cybersecurity Spending to Exceed $1.75 Trillion From 2021-2025. Cyber Crime Magazine. https://cybersecurityventures.com/cybersecurity-spending-2021-2025/
About the Author
  • Jason Brown

    Jason Brown's passion lies in data privacy and cybersecurity. He has spent his career working with businesses, from small to large international companies, developing robust data privacy and cybersecurity programs. Jason has held titles such as chief information security officer, virtual chief information security officer, and data privacy officer. He has obtained many industry-leading certifications including ISC2's CISSP, ISACA's CDPSE and COBIT, and ITIL, and holds a Bachelor of Science degree from Central Michigan University and a Master of Science degree from Ferris State University.

    Browse publications by this author
Executive's Cybersecurity Program Handbook
Unlock this book and the full library FREE for 7 days
Start now