With Cybersecurity, Technology is Not Enough

Developing an effective Cybersecurity Program for your organization is a difficult task. Given our hurried work lives we may choose to press the proverbial “easy button” and purchase some of the latest technical tools in the hopes that this will protect the organization and let us get back to putting out the other fires that are burning. Unfortunately, the headlines of the day indicate all too often that, in fact, technology is not enough. We need a program that encompasses the people within our organization as well as the processes/policies that govern those people and the technology we use.

Federal agencies have for some time been mandated to have a program that protects the information and information systems utilized by the various agencies. The National Institute of Standards and Technology (NIST) as a part of the US Department of Commerce developed several special publications that guide organizations in developing programs. More recently, state agencies and now private entities have started to adopt these programs. Let’s look at one of these publications and how it is applied to a private organization.

Here is a direct excerpt from NIST Special Publication 800-37r1.

“This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle. Applying the RMF within enterprises links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function) and establishes lines of responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).”

800-37r1 requires utilizing a 6-step process when implementing the framework.

Categorize the System

      : In this step the organization determines, based on the predefined risk posture of the organization, what level of risk the current system exposes. In the case of retail organizations for example, the POS system would pose a high level of risk if breached. We see this most recently with the

Wendy’s breach

      of more than 1,000 stores. We also saw this a couple of years ago with the Target debacle. In the case of a

health care organization

      , a high-risk system would be the electronic medical records or even the wirelessly connected medical devices that support patient care. Some lower level systems in both cases may be the guest wireless network. The guest network does need protection, but a breach would likely have a lower impact on the overall organization if properly segmented.

Select Security Controls: Here, we have 3 choices of controls. Administrative Controls, i.e. policies, procedures etc.; Physical Controls, such as gates, guards, cameras; and Technical Controls, Firewalls, Antimalware, Intrusion Detection etc. As I mentioned in my opening statements, this is where the majority of the time and billions of dollars have been spent yet we still see breaches. Technical controls are absolutely necessary, but without the implementation of administrative and physical controls the organization is not adequately protected.

Implement Controls:This is straightforward once you determine what path to take.

Assess Controls: Once implemented they need to be tested before authorizing the system and then on a regular basis going forward. At a minimum they should be tested annually

Authorize the System: In this step the senior leadership has been briefed on the systems categorization and the applied controls to mitigate the defined risk and they are in fact accepting the residual risk that remains. Risk cannot be 100% eliminated and thus the leadership has to decide what level they will accept.

Monitor: Continuous monitoring is key to ensure the controls remain in place and effective.

This 800-37r1 process has proven an effective methodology to follow. In and of itself it is just one component of the overall Cybersecurity Program. As stated in the steps, applying technical controls such as the technology solution is but one component, and just one of many options to mitigate risk. In some cases it is not the most effective choice. In the case of Wendy’s and to some degree Target, it appears that a third party such as a service provider has some culpability to the breach. This should be addressed with administrative controls such as proper vetting of the provider and the technical controls. For the hospitals, better training of the staff (also an administrative control) to minimize the effective social engineering attack is necessary in addition to the technical controls of antimalware.

Each organization should take a holistic approach to Cybersecurity. Try not to look at Cybersecurity as a point product or even a point solution. Instead, look at your overall program and seek to understand how you address the People, Processes and Technology to mitigate risk. Additionally, look into addressing risk before an attack, during the attack and after the attack. Each phase requires attention. This will not eliminate the risk, but it should help to drive the risk posture lower and ensure your organization is taking the proper “due care” and “due diligence” necessary.



Thomas Addison has more than 20 years of experience in the technology industry where he has spent time as an engineer, consultant and sales leader.