Maturing Cyber Programs

Cyber is based on cycles. Cyber has no end as it is just a continuous cycle of improvement. There is no definition of done or celebration of a project finishing. Cyber teams are constantly working to improve security. To improve security the team also has to mature the program. This means the whole organization has to mature. The biggest problem is that people are naturally resistant to change. 

How do you overcome this issue?

Buy-in. 

You have to make the change meet the requirements of each person with the what’s-in-it-for-me. This is the hardest part of starting to mature a program. You have to give every person some value back to move forward. 

What does this look like?

It can be many things from less work due to new tooling to helping them with something such as backing one of their initiatives. 

Senior management has to have the buy-in. Not just accepting they will support the efforts - really giving support by being early adopters and adding the initiatives in their communications, not just for a week or month - repeatedly. It has to be a culture change that has milestone updates. Ownership of progress towards goals.  

The initiatives also have clear and concise milestones and goals. Written down and updated in organizational-wide communications. 

You have to answer the why. Why are we doing this? The answer cannot be - “to be more secure”. That does not really answer any questions. Go down to specific reasons and add statistics. Explain the what-ifs. Do not assume it will not be understood. 

Trust that people want to do the right thing. 

Comments

Post a Comment

Popular posts from this blog

Understanding Protection (SC)

Understanding Protection (SC) These controls focus on protecting system boundaries, communications, and preventing unauthorized data exposure. Let's break down the key SC controls with examples. SC-1: Policy and Procedures This foundational control requires documented policies and procedures for system and communications protection. Example: SYSTEM AND COMMUNICATIONS PROTECTION POLICY Version: 2.1 Last Updated: 2025-01-02 1. PURPOSE This policy establishes requirements for protecting the organization’s cloud infrastructure and communications. 2. SCOPE Applies to all cloud systems within the authorization boundary. 3. POLICIES 3.1 Encryption Requirements - All data in transit must use TLS 1.2 or higher - All data at rest must use FIPS 140-2 validated encryption - Key rotation required every 365 days 3.2 Network Security - All external connections must traverse a DMZ - Firewall rules follow deny-by-default principle - Monthly review of access control lists 4. PROCEDURES 4.1 Firewall ...
Read more

Security Assessment (SA) Controls

The Security Assessment (SA) family of controls, derived from NIST 800-53 Revision 5, plays a pivotal role in keeping systems secure over time. What Are the Security Assessment (SA) Controls? The SA family of controls focuses on ensuring that security controls are assessed for their effectiveness and are continuously monitored throughout the life of the system. This means checking whether the security measures in place are not only effective but remain effective and up-to-date as time progresses. For FedRAMP Moderate, these controls are crucial because: They ensure security controls are evaluated regularly. They support continuous monitoring for vulnerabilities or weaknesses. They establish corrective actions when necessary. SA-1: Security Assessment and Authorization Policies and Procedures Control Overview SA-1 requires the development of security assessment and authorization (A&A) policies and procedures. These procedures outline the process for conducting security assessm...
Read more

FedRAMP Moderate Rev 5 SI Controls

  In this post, I'll break down each SI control in FedRAMP Moderate Rev 5 and provide tips.   SI-1: System and Information Integrity Policy and Procedures The key to a strong base is well-documented policies and procedures.  For SI-1, organizations must: - Develop and maintain system and information integrity policies that address purpose, scope, roles, and responsibilities - Define procedures for implementing security controls - Review and update these documents at least annually Example:  Create a System and Information Integrity Policy document that includes: - Malware protection requirements with procedures - System monitoring procedures - Software and firmware update processes - Security alert handling processes and procedures - Error handling protocols  SI-2: Flaw Remediation Flaw remediation is key for maintaining system security.  Organizations must: - Identify, report, and correct system flaws promptly - Test software updates before deployment...
Read more