Tenable & IDG Whitepaper_Building a Secure Foundation to Reduce Cyber Risk
Strategic approach to building a
solid foundation
There are several best practices companies should take,
which will ease the selection and implementation of a security
framework.
The foundational controls in security
frameworks help organizations build a
base for reuse and flexibility that can
streamline compliance with the other
frameworks and regulations.
Beyond this, however, it is necessary to secure the entire
organization against pervasive threats that often escalate
in parallel with cyber exposure. Here is where it is critical
to automate the operation, assessment, and reporting of
these controls to prevent threats. Unfortunately, on average,
organizations automate only 45% of foundational cyber
security controls.
While some administrative controls such as training may
not require automation, the technical controls monitoring IT
environments should gather and process data continuously to
effectively gauge conformance. These activities result in far too
much data to handle manually, and few organizations have the
human resources necessary to fully dedicate to this task. This
issue will only get worse: The non-profit information security
advocacy group ISACA predicts there will be a global shortage
of 2 million cyber security professionals by 2019.
To ensure basic foundational security, organizations should
embrace a foundational security solution that addresses the
breadth of the IT environment. Such a solution must integrate
with a multitude of tools and technologies to enhance
discovery, assessment, and analysis.
Having a foundational security solution can help overcome the
challenges associated with implementing the controls in part
through automation. One of the primary challenges is that
successful and sustainable adoptions are often a multiyear
project— meaning people need a logical way to get started
and most importantly, prioritize each step. This is why it’s
important to have a solid strategy.
www.tenable.com
Start simple.
There are significant benefits to embracing a methodical
approach. No organization can apply all controls at once.
Incremental implementation addresses the most important
aspects first, and then builds. For instance, start with a subset
of a business system such as a CRM application, where critical
customer data often resides. A single starting point allows
the security team to build an internal set of lessons learned
that it can then apply to other business systems. This also
establishes a foundation to apply subsequent controls.
Although the goal is to have all these controls operating
concurrently, the reality is that it takes time to fully implement
them. Many companies use the prioritization found in CIS to
put together an implementation plan. And for good reason.
The 20 CIS controls are the result of industry practitioners
working together to develop and maintain a best practicesbased approach to security. Adhering to the process with its
sequential steps helps organizations build on success.
Understand that ad-hoc tools alone do not
yield success.
Relying solely on the latest tools may provide a false sense
of security, causing teams to inadvertently create gaps or
security weaknesses. This is especially true when there is a
lack of integration among technologies. For this reason, the
initial focus should be selecting a framework that will serve as
a road map, and then implementing its controls as a means to
establish security fundamentals.
Failing to embrace a framework hampers the organization’s
ability to grasp the big security picture. Proven templates help
organizations avoid glaring gaps, and security frameworks
guide the implementation of controls.
It is also worth noting that when using a framework, security
teams have a vehicle to talk risk and budget with executive
management. According to CreditSafe CISO Russ Kirby: “A
framework facilitates an understanding of risk within the
business, and those understandings allow you to identify the
most critical projects that you must have.”
Additionally, the foundational controls in security frameworks
help organizations build a base for reuse and flexibility that
can streamline compliance with the other frameworks and
regulations.
Building a Secure Foundation to Reduce Cyber Risk
3
“A great wealth of knowledge is created
around a framework. Standardized tools
that help with compliance and drive
automation enable you to complete your
programs more quickly. If you have a
framework, your job is easier because
when you create a map, you realize that
70 to 90% of the controls are common
between various requirements.”
— Kalpesh Doshi, CISO, Capgemini
Seek expertise to assure successful implementation.
Companies need more than just a technology vendor to build
a secure foundation. The right solution partner should be able
to offer best practices and procedures that help define and
document repeatable processes.
A strategic partner also provides experts with a deep
understanding of security controls, cyber risks, and the
modern attack surface who can provide mentorship and
guidance—especially when IT staffs are stretched thin.
Likewise, access to an ecosystem of technology partners
allows for easy integration across the IT environment.
In a world where cyber attacks are a growing problem, and
IT complexity continues to intensify, no organization can
afford to ignore the importance of embracing, deploying, and
maintaining a security platform capable of evolving in step
with the ever-changing threat landscape. Security frameworks
represent a proven pathway to a secure environment.
To learn more about how enterprises
around the world are benefiting from
security frameworks, read the eBook,
“The Economic, Strategic and Operational Benefits
of Security Framework Adoption.”
Tenable™, Inc. is the Cyber Exposure company. More than 23,000 organizations of all sizes around the globe rely
on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber
risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets,
networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first
platform to provide live visibility into any asset on any computing platform. Tenable customers include more
than 50 percent of the Fortune 500, large government agencies and mid-sized organizations across the private
and public sectors. For more information, visit: www.tenable.com
STRATEGIC
MARKETING SERVICES
www.tenable.com
Building a Secure Foundation to Reduce Cyber Risk
4
Please complete the form to gain access to this content
