{"id":135,"date":"2021-05-14T15:20:01","date_gmt":"2021-05-14T15:20:01","guid":{"rendered":"https:\/\/companies.mybroadband.co.za\/solid8\/?p=135"},"modified":"2021-05-14T15:20:01","modified_gmt":"2021-05-14T15:20:01","slug":"how-to-mature-your-cybersecurity-program","status":"publish","type":"post","link":"https:\/\/companies.mybroadband.co.za\/solid8\/2021\/05\/14\/how-to-mature-your-cybersecurity-program\/","title":{"rendered":"How to mature your cybersecurity program"},"content":{"rendered":"<p><em>By Gidi Cohen &#8211; Co-founder of Skybox\u00a0<\/em><\/p>\n<p>Security leaders have long wanted to tackle their most pervasive issues. These include exponential growth of the attack surface and cyber risks as well as diminishing control of a rapidly changing technology landscape \u2013 all against the backdrop of severe talent shortages.<\/p>\n<p>Skybox\u2019s new report, \u201c<strong><a href=\"https:\/\/www.skyboxsecurity.com\/trends-report\" target=\"_blank\" rel=\"noopener\">Vulnerability and threat trends 2021: Cybersecurity comes of age,<\/a><\/strong>\u201d demonstrates that there is a need for greater maturity. It brings focus to just how energized threat actors have become over the pandemic: extraordinarily, new malware samples almost doubled over 2020. It highlights how Operational Technology (OT) environments are increasingly exposed to attack: the number of vulnerabilities within Industrial Internet of Things (IIoT) devices increased by 308% over the last year. And it reinforces the scale of the task now facing teams dealing with cyber risk management: there were 18,341 new vulnerabilities over 2020, adding to the exposure from prior years\u2019 discoveries.<\/p>\n<p>What has become clear over the last year is that what was once considered \u201cgood enough\u201d will no longer suffice. Long-held practices relying primarily on detection and response don\u2019t hold water anymore \u2013 if we are honest with ourselves, they were never \u201cgood enough\u201d.<\/p>\n<p>Managing security posture has become a critical necessity for reducing the risk of cyber attacks. By improving security posture, it\u2019s possible to eliminate the exploitation of known attack vectors. Further, by focusing on a much smaller attack surface, detection and response programs can shine again.<\/p>\n<p>But security posture management is not an easy task. Organizations have a complex security stack and use a myriad of technologies. As a result, they are discovering that their muscle to manage security posture is, at best, under-developed. They need to adopt a transformation mindset. To achieve this, organizations need to mature their security programs:<\/p>\n<h3><strong>Develop a roadmap to maturity<\/strong><\/h3>\n<p><a href=\"https:\/\/companies.mybroadband.co.za\/solid8\/files\/2021\/05\/Image-Solid8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-141\" src=\"https:\/\/companies.mybroadband.co.za\/solid8\/files\/2021\/05\/Image-Solid8.png\" alt=\"\" width=\"640\" height=\"430\" srcset=\"https:\/\/companies.mybroadband.co.za\/solid8\/files\/2021\/05\/Image-Solid8.png 640w, https:\/\/companies.mybroadband.co.za\/solid8\/files\/2021\/05\/Image-Solid8-300x202.png 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>Developing a well-rounded and resilient cybersecurity program isn\u2019t something that can happen overnight. It\u2019s a journey that demands iterative change. The first step of this journey is understanding your organization\u2019s current maturity level. It could be that you are addressing security on an ad-hoc basis, or you may have defined security processes, or you may be at a stage where you can manage your program and are able to drive strategic change. By understanding what the next level of maturity looks like, you can develop a roadmap that will improve your security posture.<\/p>\n<h3><strong>Ad-Hoc<\/strong><\/h3>\n<p>This stage represents the most remedial cybersecurity programs. These can be found in organizations that don\u2019t have consistent processes or policies. An \u201cad-hoc\u201d program is one without systems or tools in place. As a result, there are functional and technological silos; the program is reactive and piecemeal; blind decisions are made that are based on a patchwork of data inputs; and remediation and patching are typically news-driven and happen sporadically.<\/p>\n<h3><strong>Developing<\/strong><\/h3>\n<p>One step above ad-hoc security, this stage is where you will find organizations that have an active cybersecurity program but lack defined processes. For example, they may have a vulnerability scanner but they aren\u2019t using it systematically. Security is something that\u2019s dealt with inconsistently, with periodic clean-ups of rules and objects, hardening of configurations, and patching to eliminate vulnerabilities. Additionally, compliance is handled with manual checking and recertification.<\/p>\n<h3><strong>Defined<\/strong><\/h3>\n<p>Some organizations are at the stage where they have a defined program. They know who is responsible for each task and are clear about processes. However, they still don\u2019t know what\u2019s happening every day. They may have policies in place, but they don\u2019t have any ongoing tools to manage them properly. And they may have a defined vulnerability management program, but they cannot automate remediation and have inconsistent oversight of operational performance and risk level.<\/p>\n<h3><strong>Managed<\/strong><\/h3>\n<p>Organizations with well-established and mature cybersecurity programs sit here. They have dashboards that enable them to manage their program, they can see whether they\u2019re making improvements, and they have insight that enables them to make strategic changes to their programs. And they will be automating change management as well as the discovery, prioritization, and remediation of vulnerabilities.<\/p>\n<h3><strong>Optimizing<\/strong><\/h3>\n<p>Very few organizations are currently at this stage \u2013 in many ways, this is an aspiration for most organizations. But getting to the stage where you can focus on optimizing processes and delivering ongoing, continuous improvement for the organization is achievable. This is when organizations have holistic visibility of the attack surface and can visualize, analyze, and narrow it down on an on-going basis. They have tight integration with the security and IT management ecosystem. They have a common platform and data sets for all teams dealing with security posture management and incident response. And they can leverage context of their environment to zero in on what matters and remediate their most exposed vulnerabilities first.<\/p>\n<h3><strong>Zero in on what matters<\/strong><\/h3>\n<p>By maturing cybersecurity programs beyond traditional defense tactics, the CISO will be able to gain the insight needed to improve security posture. By understanding the context of the infrastructure and its security controls &#8211; on-prem, private cloud, and public cloud, and achieving full visibility of their attack surface, they will be able to better quantify cyber risks, prioritize remediation and zero in on what matters.<\/p>\n<p><strong><a href=\"https:\/\/www.skyboxsecurity.com\/trends-report\" target=\"_blank\" rel=\"noopener\">Skybox\u2019s new report<\/a><\/strong>\u00a0highlights the biggest challenges facing CISOs and their teams today. But it also explains why this is a pivotal moment for cybersecurity. We are at the beginning of an exciting new era. This is the moment when cybersecurity comes of age to help security teams zero in on what matters and overcome some of their largest and most enduring challenges.<\/p>\n<p><strong><a href=\"https:\/\/www.skyboxsecurity.com\/trends-report\" target=\"_blank\" rel=\"noopener\">Read the report now<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security leaders have long wanted to tackle their most pervasive issues. These include exponential growth of the attack surface and cyber risks as well as diminishing control of a rapidly changing technology landscape \u2013 all against the backdrop of severe talent shortages.<\/p>\n","protected":false},"author":1,"featured_media":139,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/posts\/135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/comments?post=135"}],"version-history":[{"count":2,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/posts\/135\/revisions"}],"predecessor-version":[{"id":145,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/posts\/135\/revisions\/145"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/media\/139"}],"wp:attachment":[{"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/media?parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/categories?post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/companies.mybroadband.co.za\/solid8\/wp-json\/wp\/v2\/tags?post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}