Executive's Cybersecurity Program Handbook E-Book

Executive’s Cybersecurity Program Handbook

A comprehensive guide to building and operationalizing a complete cybersecurity program

Jason Brown

BIRMINGHAM—MUMBAI

Executive’s Cybersecurity Program Handbook

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Mohd Riyan Khan

Publishing Product Manager: Prachi Sawant

Senior Editor: Tanya D’cruz

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Deeksha Thakkar

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Alishon Mendonca

Marketing Coordinator: Marylou De Mello

First published: February 2023

Production reference: 1270123

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80461-923-0

www.packtpub.com

To my wife and my daughter. Words cannot express the love I have for both of you. I am so thankful to experience the love and joy you bring me every day. I love you both.

– Jason Brown

Contributors

About the author

Jason Brown’s passion lies in data privacy and cybersecurity. He has spent his career working with businesses, from small to large international companies, developing robust data privacy and cybersecurity programs. Jason has held titles such as chief information security officer, virtual chief information security officer, and data privacy officer. He has obtained many industry-leading certifications, including ISC2’s CISSP, ISACA’s CDPSE and COBIT, and ITIL, and holds a Bachelor of Science degree from Central Michigan University and a Master of Science degree from Ferris State University.

About the reviewers

Sai Praveen Kumar Jalasutram is an experienced cybersecurity leader on a mission to defend organizations from advanced cyber threats. With a strong track record of leading teams in conducting investigations, gathering intelligence, implementing security controls, and improving the overall security posture, Sai has a deep understanding of the constantly evolving threat landscape and is skilled in identifying threat patterns and developing strategies to mitigate potential cyber threats. Throughout his career, Sai has worked with a variety of global organizations across multiple sectors, including government, technology, finance, and education, consistently delivering valuable insights and solutions for improving the cyber resilience of these companies. Sai played a key role in the development of the Certified Ethical Hacker (CEHv10) and Certified Threat Intelligence Analyst (CTIA) certifications offered by EC-Council and has published articles in various cybersecurity magazines.

Kenneth Underhill is a co-founder of Cyber Life, which provides cybersecurity certification education to organizations and cybersecurity professionals, and one of the authors of the international bestselling book Hack the Cybersecurity Interview. He has won multiple industry awards for his work to improve diversity in the industry and is an advocate for women’s rights. Ken educates millions of people each year through his online cybersecurity courses and sits on the advisory board of Breaking Barriers Women in CyberSecurity (BBWIC). He also holds a graduate degree in cybersecurity and information assurance and several industry certificates (CCSK, CEH, and CHFI).

Table of Contents

Preface

Part 1 – Getting Your Program Off the Ground

1

The First 90 Days

Getting executive buy-in

Budget or no budget?

Vision statements

Mission statements

Program charters

Purpose

Scope

Responsibilities

Those responsible for the charter

The pillars of your cybersecurity program

Summary

References

2

Choosing the Right Cybersecurity Framework

What is a cybersecurity framework?

Types of cybersecurity frameworks

Examining security as a checkbox

Understanding continual improvement

Selecting the right framework

The framework used in this book

Summary

References

3

Cybersecurity Strategic Planning through the Assessment Process

Developing your cybersecurity strategy

Who should perform the assessment?

Preparing for the assessment

Drafting an engagement letter

Project initiation and information gathering

Performing the assessment

Wrapping up the assessment

Administrative review of policy documents using the NIST CSF

A technical review using the CIS controls

Understanding the current and future state of your program

Developing goals

The exit interview

Summary

References

Part 2 – Administrative Cybersecurity Controls

4

Establishing Governance through Policy

The importance of governance

The importance of policy documents

Exploring PSPs

Policies

Standards

Procedures

Policy workflow

Getting executive sign-off for policy documents

Creating new policies

Reviewing policies

Building a framework layout

Exploring policy objectives

Summary

References

5

The Security Team

The need for more security professionals

Applying NIST NICE framework to your organization

Exploring cybersecurity roles

Cybersecurity analysts

Cybersecurity engineers

Cybersecurity architects

Cybersecurity compliance specialists

Head of security

Exploring cybersecurity architectural frameworks

SABSA

TOGAF

OSA

Staffing – insourcing versus outsourcing

Structuring the cybersecurity team

Summary

References

6

Risk Management

Why do we need risk management?

Exploring IT risks

Human

Technology

Environmental

The NIST RMF

Tier 1 – organizational risk

Tier 2 – mission/business process

Tier 3 – information systems

Applying risk management to IT resources

Categorize

Select

Implement

Assess

Authorize

Monitor

Documenting in the SSP

What is a risk register?

Driving to a resolution

Summary

References

7

Incident Response

NIST incident response methodology

Preparation

Detection and analysis

Containment, eradication, and recovery

Post-incident activity

Incident response playbooks

Train like we fight

Walk-through exercises

Tabletop exercises

Live action exercises

Summary

References

8

Security Awareness and Training

Understanding security awareness, training, and education

Awareness

Training

Education

Setting up a security training program

Establishing the need for a security training program

Obtaining executive support

Developing metrics

Examining course objectives

Continuous improvement

Training for compliance

Summary

References

Part 3 – Technical Controls

9

Network Security

The history of the internet

The OSI model

The first three OSI layers

IPv4 addressing and micro-segmentation

Traditional network security

Traffic inspection

Networks of today

Building trust into the network

Virtual private networking and remote access

Getting to know the “zero trust” concept

Understanding firewall functionality

Web application firewalls

DNS firewalls

Distributed denial of service

Summary

References

10

Computer and Server Security

The history of operating systems

Exploring server hardening steps

Operating system patching

Least privilege

Removing unneeded services

Host-based security

Picking the right password

MFA

Secure software configurations

Changing system defaults

Remote management

Zero trust

Dangers of TOFU

The IoT

Understanding encryption

Digital signatures

Protecting the private key

Summary

References

11

Securing Software Development through DevSecOps

Why introduce cybersecurity early?

A new style in project management

The six principles of DevSecOps

Planning

Building

Testing

Deploying

Operating

Code reviews

Static application security testing

Dynamic application security testing

Software composition analysis

Open source licensing

Copyright licenses

Copyleft licenses

Permissive licenses

Gitflow branching

Secure coding checklists

NIST

SEI

OWASP

Embedded secrets

Summary

References

12

Testing Your Security and Building Metrics

Understanding your requirements

Business requirements

Regulatory requirements

Continuous evaluation of your security program

Maintaining corporate security

Maintaining third-party security

Why CARE about metrics?

Vulnerability metrics

Incident reporting – red team versus blue team

Reporting to the executive team and BoD

System security plans and the risk register

A risk heat map

Balanced scorecard

Summary

References

Index

Other Books You May Enjoy

Preface

The Fog of More is a term created for the onslaught of vendors and cybersecurity professionals who want to throw money at a problem. The problem turns into appliances, with blinky lights, that never get fully implemented or go unused. Hundreds of thousands, if not millions, of dollars are spent every year on buying the latest and greatest technology only to miss the fundamentals of implementing basic security controls. We, as professionals, need to take a step back and look at the overall current state of the cybersecurity program and decide where we want to go. This can get muddled with wanting to spend money on technologies, but is that truly the answer?

Many cybersecurity professionals who are expected to develop a cybersecurity program begin with little to no budget, with the expectation of protecting the organization from unforeseen events. While some technologies cost money, cybersecurity fundamentals still remain. These fundamentals are oftentimes overlooked, spending more money to compensate for controls that may already be built into existing resources. There has to be a better way to tackle this problem.

This book will guide you through low-cost/no-cost solutions that you can start off with when creating a cybersecurity program from the ground up. There are plenty of ways that you can develop a program when you do not have the initial funding to get the program going. Utilizing cybersecurity standards is just one way of getting there, guiding you through the process of implementing best practices. These all have to be planned out by setting goals to achieve the objectives in your strategic plan.

Who this book is for

You have climbed the ranks and now it is your turn to lead a team of cybersecurity rockstars. As the new head of security, it is time to leave most of your technical abilities behind and focus on the business. This book will help you change your mindset by taking business objectives and applying them to the cybersecurity outcomes the organization needs. This book is meant for the first-time manager, director, or chief information security officer – those who have climbed the ranks and are now in charge.

What this book covers

Chapter 1, The First 90 Days

Congratulations! You are now the head of security for your organization – what a tremendous achievement. If you have worked your way up through the ranks of IT and cybersecurity, you have had to develop the technological side of your career. It is not a time to abandon this, however; you will need to understand how the business runs and what is important to the organization. In addition to understanding you r business goals, in this chapter, we also review and develop strategies for determining which IT and security aspects are important to you and your team.

Chapter 2, Choosing the Right Cybersecurity Framework

Cybersecurity is more than just “checking a box,” it is a mindset. It is a continuously evolving field with new threats occurring every day. How do you stay ahead of the adversary? In order to stay a step ahead, we will review the various types of cybersecurity frameworks available and select one to implement. Cybersecurity frameworks promote best practices, which in turn will make it more difficult for an adversary to take control of an IT resource.

Chapter 3, Cybersecurity Strategic Planning Through the Assessment Process

Once we have picked our framework of choice, we must put it to work. Where do you start? The first step is to conduct a risk assessment and perform a gap analysis. This analysis will not only show you your current state of security but will also show you where your deficiencies are. From there, we will create our strategic plan to put safeguards in place to enhance the security of the environment.

Chapter 4, Establishing Governance Through Policy

A large part of a maturity-based cybersecurity program is the establishment of governance. Governance is an important step in maturing your cybersecurity, or overall IT, department. Part of your governance program is developing policies, standards, and procedures for your teams to align with. There also must be a framework for establishing policy documents for your organization. Creating them is the first step; however, you must develop a document life cycle for review and approval. This chapter will review the steps necessary to create a governance program.

Chapter 5, The Security Team

As the head of security, you may have a large team, have a handful of employees, or you might be the lone person working on security. Eventually, you will want to continue to grow your team, but what should you look for? Cybersecurity analysts, engineers, and architects all have their own sets of unique qualities, so how do you choose which is right to meet the business’ demanding requirements? This chapter will provide an overview of these positions, and ensure that you have the backing of the business to continue to mature your department.

Chapter 6, Risk Management

There is nothing that comes without some type of risk and these risks are all driven by decision-making. This is no different when evaluating risks within an IT environment. In this chapter, we review how to use security categorizations to evaluate the risk for an IT resource. Having evaluated it, we continue to look at how we want to maneuver that risk – whether we accept, transfer, mitigate, or avoid it. Once we have determined how we want to maneuver the risk, we will build out documentation through the use of a systems security plan and risk register to record the risk posture of the environment.

Chapter 7, Incident Response

Some aspect of your IT and security program will fail. Someone will penetrate your network, or a catastrophic event will occur. You must train as you fight, and doing so will better prepare you for when the inevitable happens. This chapter reviews how to prepare for an incident, what to have in place for when one occurs, and how to better prepare yourself for when it happens again.

Chapter 8, Security Awareness and Training

This chapter reviews the differences between security awareness, training, and education. It will walk you through how to gain buy-in from executives to train your security staff. As cybersecurity continuously evolves, so too should the knowledge of your employees.

Chapter 9, Network Security

There have been plenty of digital disruptions throughout history, though by far the largest disrupter has been the creation of the internet. There are approximately 30 billion devices all connected to the same medium, which can be challenging to secure, to say the least. In this chapter, we will review the history of the internet, predict what the next biggest thing will be in internet and networking technologies, and discuss how to secure the next invention.

Chapter 10, Computer and Server Security

Ever wondered how computers got their start? This chapter reviews the history of computers, server architecture, and the software that runs on them. We will look at how to secure them and mitigate any threats through best practices.

Chapter 11, Securing Software Development Through DevSecOps

Software is what drives the technologies we use every day. Through software, we can write applications, create operating systems, and direct traffic across a network. It is no wonder software development is key to any business. However, it can also be our downfall. This chapter reviews how to implement security early in a project, the DevSecOps steps, the importance of code reviews, and how to test software to ensure that it has mitigated any risks to a tolerable level.

Chapter 12, Testing Your Security and Building Metrics

You have put in the work, and now it is time to show how your security program has progressed. As the head of security, you will need to highlight your achievements and show the executive team and the board what work has been done and what is yet to be done.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/QTWim.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Executive’s Cybersecurity Program Handbook, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781804619230

Part 1 – Getting Your Program Off the Ground

All too often I see organizations throwing hundreds, if not thousands of dollars, at cybersecurity problems. But is this really the right course of action, especially when you are only just starting to develop your program?

To start your endeavor in developing a cybersecurity program, you must understand where you are starting from. Often, this will require an assessment to be performed, one that helps you understand the current security posture. To perform an assessment, you must first choose the types of controls and cybersecurity standard you want to assess the organization against.

There are plenty of cybersecurity standards to choose from, but how do you choose? First, it requires you to understand the organization, its requirements, and where it conducts business. If it conducts business in Europe or other regions outside the U.S., it may be best to use an international standard such as ISO 27001/27002. In the U.S., many higher education and governmental organizations typically use standards developed by the National Institute of Standards and Technology (NIST).

This first part of the book is centered around cybersecurity program development, and how you and your organization can leverage the NIST standards. The first few chapters will guide you through what you need to do in the first 90 days on the job, which standard you should choose, and how to align that standard to business objectives. By leveraging the NIST Cybersecurity Framework, you can get a head-start on the implementation of administrative controls and establish governance. In addition to administrative controls, we will also look at the Center for Internet Security, a U.S. non-profit organization that assists with the implementation of technical security controls. Combining these two frameworks together will assist in the creation of your cybersecurity program.

1

The First 90 Days

Congratulations and welcome to the cybersecurity club! Whether you are just starting off on your cybersecurity career or are a seasoned professional, your first 90 days as the head of security can be tough – yet rewarding. During your first 90 days as the head of security, you will be challenged to learn the business and its processes, build new relationships, and gain an understanding of what is important to the company. You will need to hold meetings with your peers to better understand the technology or security stacks being used at the company.

The ability to develop strong relationships early on in your tenure will pay off in the long run. Your co-workers will get to not only know you by name but also get to know you personally and professionally. This is also your opportunity to do the same. The key is to build good, strong relationships early so you are not only approachable, but people feel comfortable talking to you.

Many in the business world see information security as the department of, "No!" where security trumps everything, from stopping projects to blocking new business processes. Information security departments must take a different stance when it comes to dealing with kids running with scissors. We must engrain ourselves into the business to see how it runs, and that will come through relationship building. In this first chapter, we will begin to look at what steps you should take in the first 90 days as the head of security at your organization.

In this chapter, we’ll be covering the following topics:

Getting executive buy-in

Building relationships with your peers is a must, and this includes those on the executive team. You want to build the same rapport with your executive team as with your peers, so they too feel comfortable speaking with you. This is also the time to begin discussing their thoughts about what the security program was meant to do and what the original direction was. These discussions do not stop with the executive team; if you are able, have the same discussion with key stakeholders and the board of directors.

Without getting executive buy-in, your program may stall or go nowhere. There are many reasons for this; however, the first step is to determine what the business needs are and how executives see them being achieved. Many professionals want to come in and inflict change in the cybersecurity program right away – I would advocate against this, at least for a little while. The reason is that you must understand what is important to the business. Remember, you have to crawl before you can walk. Information technology and cybersecurity are no different in their approaches when determining the vision you and other executives have of the cybersecurity program.

Cost and budget are also key components of the program, but are not as important as getting executive buy-in. A new head of security or chief information security officer could come in, build out the plan, forecast the budget, utilize several free open source cybersecurity tools, and it could still go nowhere as the executive team has decided to not move forward. It did not stop because of the budget – that was just a component of it. The real issue is that your executive team does not accept the decisions or technology planned for implementation. This is why getting executive buy-in and having conversations regarding the cybersecurity program are so important.

Next, we can begin to build out a budget that makes sense to everyone. Whether it is five dollars or a million dollars, there are plenty of ways to secure the business; however, the direction you want to go in with the program is up to you.

Budget or no budget?

A budget will make or break a department. Change my mind! That is a very true statement. Or is it? It is what you do with the budget you are given that will make or break a department. Organizations are hard-pressed to spend money on cybersecurity. Why? Because people think “It has never happened to us yet, so why should we bother?” or “We are too small to be a target.” However, mindsets are beginning to change. Many on the business side see cybersecurity or information technology as a sinkhole – one the business pours money into but never sees anything come of it. It is up to you to sell your ideas, get funding, and spend it accordingly.

Cybersecurity, however, is not something to take lightly or brush off as a second thought. States and the federal government are enacting breach notification laws for public and private sector organizations. Cyber insurance companies are serious, too, as they want to ensure their clients are performing their due diligence in reducing cyber risk across the organization. While not everything requires spending the business’s hard-earned money, certain aspects of cybersecurity do require funding.

Cybersecurity spending is also reaching all-time highs. Between 2021 and 2025, cybersecurity spending is expected to reach $1.75 trillion. According to Steve Morgan, founder of Cybersecurity Ventures, the market was only worth $3.5 billion in 2004 (Braue)[1]. That is a 500% increase (I am terrible at math). The Fog of More is a phrase characterized in cybersecurity as vendors trying to sell you the newest, shiniest blinky green and amber lights. How many of us have purchased new firewalls, only for them to collect dust? Better yet, how many of us have implemented firewalls with allow any/any/any rules? Don’t believe me? Performing a quick search on Shodan provides some disturbing statistics. For instance, there were over 286,000 results for open Telnet ports; VNC, almost 540,000 results; RDP, 582,000. These protocols, when exposed to the internet, increase the risk of your organization being attacked.

Not all vendors are bad; quite a few legitimately want to help. In the end, however, money talks. This is why it makes sense to rephrase “A budget will make or break your department ” to “ it is what you do with the budget that will define the department.” Do not let others fool you. You can churn out a robust security program without major funding.

Organizational technology stacks come in two different flavors, build and buy. While the build camp prefers to utilize as much open source technology and free utilities as possible, the buy camp wants to ensure that not only do they have support from a company, but they also have a single entity to blame if something goes wrong. While some concepts in this book will require a company to purchase some type of IT resource, this book is not centered on CapEx purchases. There are plenty of free, low-cost, or no-cost solutions out there if your team is willing to allocate the resources and time to learn about concepts and learn the skills of the trade.

For instance, begin developing your company’s vision, mission, and program charters. This will set the foundation for your program.

Vision statements

The vision of the office of information security is to secure the organization while making security a second thought.

Many organizations tend to throw technology at a problem, but is that the right solution? What is the goal of the company’s information security program? What will make you and your team stand out as a force for delivering top-notch security services? As a security leader, you must first understand where you are and where you want to go. If you do not have an end goal, how will you know how to get there?

A vision statement is a high-level description of how the program strives to achieve success. For instance, the preceding quote is a vision statement that could be used for a security department. It is intended to not only state the purpose of the department but the overall goal. A phrase I like to use for our security program is “Employees already think of cybersecurity as a second thought – I intend to keep it that way.”

Why is that statement important to me and our program? We want our security program to be as robust as possible and protect our systems and data while keeping our users safe. Information security should enable while making it easy for those who are not technically savvy. It should be as transparent as possible without always being in your face. Users should not have to read an entire manual to learn how to do their jobs, which are already tough without adding more layers on top.

The vision statement should depict what is most important to the department or organization. It should not be lengthy―only three sentences or fewer, but make it meaningful. It can be internal or external customer-facing, but make it a way of marketing yourself to others. As the security field is dynamic, a vision statement does not have to remain static and can evolve over time. One could write a vision statement and a few years down the line, decide to change it.

Here’s an example of a vision statement:

The Institute for Information Security & Privacy (IISP) at Georgia Tech is as an international leader in researching, developing, and disseminating technical solutions and policy about cybersecurity and privacy. We assemble strong, innovative, multi-disciplinary teams to address contemporary and future cybersecurity or privacy challenges faced by government, industry and individuals. Our graduates become leaders in government, scientific, industry and entrepreneurial communities.

—Georgia Tech University (https://www.scs.gatech.edu/research/institutes-centers)

There is no right way or wrong way to create a vision statement for your department. With one in place, however, it provides context for the goals and objectives that the department strives to achieve. It also shows that the department takes cybersecurity seriously in the types of services it will provide to its customers.

While vision statements are important for providing context for what the department strives to achieve, mission statements are equally as important. Mission statements depict why the department exists.

Mission statements

One may think, “Doesn’t a mission statement belong to the business?” While businesses have a mission statement, departments should have one too. Business-style mission statements articulate the purpose of the business/department or establishes the reason for their existence. Some famous mission statements include the following:

To bring the best user experience to its customers through its innovative hardware, software, and services.

—Apple (https://mission-statement.com/apple/)

To empower every person and every organization on the planet to achieve more.

—Microsoft (https://www.comparably.com/companies/microsoft/mission)

Accelerating the world’s transition to sustainable energy.

—Tesla (https://www.tesla.com/about)

What is your security department’s reason for existing? Is it to protect your organization’s sensitive data? Is it to thwart those who would do harm to your organization? How about securing and protecting the free flow of information across the world? I am sure we all have a back story as to why the newly minted cybersecurity manager or chief information security officer position opened at the company. What were the circumstances around your position being created? These questions do not necessarily have or need to have answers. They are there to help you decide how to construct a mission statement.

Before writing a mission statement, understand the culture and, again, what is important to the business. Write one, or a few, select the ones you like best, and then solicit feedback. If you are lucky and have a few security employees that work with you, get their feedback too or ask them to join in.

Mission statements, much like vision statements, are not long: maybe a sentence or two. However, it must have meaning and be celebrated as the crux of how the department will operate. It should motivate employees to do better and be better. The statement should also cause your customer base (others inside and outside the organization) to want to contact you when something is wrong―or right! On day one, a new employee should know and understand the department’s mission statement.

Mission and vision statements are great in that they highlight the department’s importance and reasons for being a crucial part of the organization. Program charters help bring everything together as they show what a department is responsible for.

Program charters

What is your department responsible for? How will you go about setting policies for information technology and the rest of the organization? Does the department have oversight of how things are implemented, configured, and monitored? When establishing governance, the first thing people think of is building roles and responsibility matrices – responsible, accountable, consulted, and informed (RACI) charts, and the like.

While RACI charts, roles, and responsibility matrices tend to provide the who and the what, they do not provide much detail. Program charters are intended to help fill in those gaps. They can be written to provide as little or as much detail as possible to help define what those responsibilities are and their intended purpose. For instance, most information security departments act as advisors for the rest of the information technology department. In this scenario, security has oversight of all aspects of information technology, but security does not implement or configure the IT resource (because of the separation of duties).

Much like policies, standards, and procedures (which we will cover in Chapter 4), a program charter document should have the following sections:

Purpose

What is the purpose of the charter? What is it trying to convey to the reader? Are there specific questions that the charter is trying to answer?

Scope

Charters impact an organization in many ways. They can impact internal and external employees, third-party vendors, contractors, whole departments, or the organization. Who will be impacted when this charter is put into place?

Responsibilities

Much like a RACI chart, what is the security department instructed to do? What is it responsible for? This is where you set the stage for how the department will function. Will it have oversight of many different aspects of information technology and the rest of the organization?

Those responsible for the charter

The charter must have a stakeholder and an executive sponsor to sign off on it. The stakeholder should be the head of the department, whether that is the Chief Security Officer (CSO), Chief Information Security Officer (CISO), director of information security, or manager of information security. These are the individuals who will be making decisions about how they see their cybersecurity department operating. The executive sponsor, whether that is a Chief Information Officer (CIO) or Chief Executive Officer (CEO), must have the authority to sign off on the charter. Once the charter is officially signed off on, it will have the teeth necessary to carry out the charter and any other supporting documentation.

In the previous sections, we have discussed how the security department will achieve success, its importance to the organization, and what it will be responsible for. To build on those concepts, we will take it a step further to discuss initiatives, strategy, and what is important to you as a leader.

The pillars of your cybersecurity program

What are the key initiatives for your security program? What is the strategy you will set that will direct the security program over the next 3-5 years? While we will talk more about developing a strategy in the next two chapters, this is where we will set the stage for that vision. First, start off with two to five high-level categories that are important to you and then begin to drill down from there. Each subcategory gets more defined as we drill down. An example of this is found in the following graphic:

Figure 1.1 – Cybersecurity pillars

In Figure 1.1, the diagram depicts what could be important for your security program. Major high-level ideas spur off from the main topic: Governance, Defense In Depth, People, and Innovation. From the high-level categories, it begins to narrow down from strategic to tactical. For instance, Innovation drills down to Automation or Transparency and Defense in Depth drills down to Zero Trust, Securing the Edge, and Security Architecture and Operations.

The subcategories begin to drill down into specific concepts or technologies, but do not state which technologies are used. You should not have more than four subcategories from the main topic, but you can have as many or as few as needed to tell the story. This begins the development of the strategic vision you have for your department.

Figure 1.2 – Cybersecurity Defense in Depth pillar

The preceding figure depicts an expanded view of what defense in depth could look like. Starting with the main topic, Defense in Depth, we move toward the categories Zero Trust, Securing the Edge, and Security Architecture and Operations, followed by their respective subcategories.

Summary

Your first 90 days as a new manager, director, or CSO can be an exciting yet intimidating time. How will you get a budget for your program? How does executive management see information security? How will you develop a cybersecurity strategy? There are so many questions, yet few initial answers. Many come into the position and begin throwing technology at the problem, drowning in the Fog of More.

Remember, a security program is more than just technology; it also consists of people and processes. The key to getting started during your first 90 days is to understand the business, its processes, and how key stakeholders see the alignment of information technology and security to the business. Begin developing the department’s mission and vision statements and evangelize them throughout. Get others involved when creating these documents to gather their input and see what is important to them too.

As you have learned in this chapter, your first 90 days is also a time for creating new relationships with your coworkers. Relationships matter when it comes to information technology and security – make sure they are a priority. Eventually, you will have to work with colleagues from all different aspects of the business. Coworkers from finance, human resources, manufacturing, and other departments will have to be incorporated into your processes. Business continuity, incident response, and risk management are not information technology problems; they are business problems. As such, personnel from these departments need to be involved too.

We have now set the initial structure for the cybersecurity department, what is important, and why. In the next chapter, we will discuss the importance of a cybersecurity framework and its overall impact on the department and the organization. These two chapters help set the foundation you can begin to build a strategy on moving forward.

References