HOLISTIC CYBERSECURITY - IN DEPTH


This page based on the article published April 2024 – click here – and will continue to be developed here.

Strengthening Every Weak Link

Most Cybersecurity services and products focus on Information Technology, selling branded solutions, missing critical actions, impacting the entire organization, leaving weak links to be exploited.

This new Holistic Approach To Cybersecurity covers all aspects of your organization, large & small, starting with the Exec team  plus your suppliers and contractors.

Transformative not just informative, it gives guidance on 100 actions in the mind-bending world of Cybersecurity that moves faster than you can read about it. It looks at long-term causes, the latest scary threats covers the latest IT innovations and Zero Trust strategies to address these threats and reduce risk.

 

If it enables you to mitigate the most vulnerable threats to your organization’s existence, then this work will have succeeded.

I wrote this for those executives who have neither the time nor inclination to read it! If it’s not understood or adopted by the organization’s leadership, it will likely fail.
For CSO/CISOs it’s a checklist of what’s needed to implement Holistic Cybersecurity. If you are not part of the executive team or don’t have a dedicated security or IT resource, it will bring awareness of its holistic nature and delegation to providers.

The "Why" of Holistic Cybersecurity"

Overlooked fundamentals that lead to cyber-disasters

Two hundred and thirty eight years ago, Thomas Reid wrote in an essay: “The chain is only as strong as its weakest link, for if that fails the chain fails together with the object that it has been holding up.”

However, that thought seems to be lost whenever we open an e-mail or read articles from security experts. They love to  give us the top three, five or ten cybersecurity actions to make our company safe. It draws us to slick solutions that promise the end of stress.

It’s about the big picture and the inescapable detail. Weak links are located across the organization and beyond—not just inside your IT domain. This is why Holistic Cybersecurity is the only approach that examines every potential vulnerability in your defensive chain … and it’s not that hard.

.

Holistic Cybersecurity Defined

Holistic Cybersecurity is a strategy to discover every vulnerability, strengthening and protecting across the entire organization and beyond. It must be managed and driven by the executive team.

The "Who" of Holistic Cybersecurity

Reality Check: No Short Cuts

The reality is that cybersecurity consists of 100+ potential vulnerabilities—weak links—not a few slick sound bites. While NIST’s Cybersecurity Framework covers 106 areas, it doesn’t come close to addressing the real scope of cybersecurity in 2024.  That’s why organizations miss the big picture and why cyber-disasters such as MGM, Dallas, etc., happen every day. 

It’s the lack of an approach covering the entire organization that causes most ransomware, data breaches and disruptions around the world.  This is about ensuring that every functional responsibility is handled—and owned. The page can only be a top level view 

Holistic Cybersecurity is about ensuring that every functional responsibility is handled—and owned. The article can only be a top level view. Your organization may not exactly match these categories—it’s the overall scope that matters.

Executive Team.

Let’s begin with the most important part of the article. It’s logically impossible to effect security that spans the organization unless it’s managed as an executive imperative.

Given new and upcoming legislation, this approach also becomes a competitive and legal necessity. The rest flows from this initial choice—without which it will fail and the organization will remain at risk.

Person Accountable for Security

Ideally part of the executive team, the person accountable for the organization’s security should be separately budgeted and not report to IT. Key duties are creation of both security policy and an ongoing implementation plan together with ongoing measurement, reporting and oversight of all aspects of the organization’s security.

Human Resources

The role of staff and contractor evaluation, implementing insider threat and social engineering strategies is critical. Overseeing employees’ privilege levels and constant training with viable anti-phishing software is also essential. Care must be taken to verify the security of external recruiting companies to ensure access to sensitive data is managed and verified.

Distributed Workforce

Another HR-related function is the management of staff at home, remote offices,  working with IT to manage/ban the use of non-corporate devices, etc.

Sales & Marketing

Monitoring of CRM sales tools (Salesforce.com, etc.,) is required to ensure databases use micro-segmentation, are encrypted and disallow the use of unverified plugins or APIs. Similarly with website CMSs, ensuring they use firewalls and do not use unverified plugins (WordPress has 50,000!) that can cause much disruption.

Customer Service

Customer Service is especially vulnerable to social engineering abuse and must use systems that protect customer information.

Product & Service Development

Whatever the product or service, it must be developed with security in mind. Where any service or product employs third party content, it must be verified. Special care must be taken to protect intellectual property from corruption or theft (see cybyr.com/delegate).

 

Manufacturing and Operations

Not everyone will have these areas but for those in critical infrastructure, decisions on security for network infrastructure, IoT separation and integrity are critical (see cybyr.com/critical).

Legal Governance

The proper positioning of cybersecurity policy and strategies provide competitive positioning. They provide legal defense should breaches occur and reduce cyber insurance costs. Also important is verification and governance of third-party supply chain contracts.

Finance & Administration

Physical Security is often handled here and many functions involve third parties that must be vetted. Another key role is in the cost-evaluation of which assets require protection. Outside CPA and Tax Service companies must also be verified.

Information Technology

Finally, IT provides skills, resources and technical oversight for the above. Where services and software are outsourced, properly delegating is critical.

In the next section we look a the top level cybersecurity actions.

Expanding the Concept

This section expands the implementation into IT encompassing the principles of Zero Trust.

The "What" of Holistic Cybersecurity"

The following gives you a taste of some actions related to implementing an effective program to reduce risks to your organization.

Asset Curation

Key is to understand what assets you have, how they should be protected from disaster and recovery and what it would cost if they were destroyed or ransomed. Automated Asset Curation and resilience is a key topic in its own right and will be covered separately.

Security Policy and Strategy

Only when you know what you have to protect, need to protect and can afford to protect can you establish a policy. It will also shape data and network strategy.

Then can you form and cost out a security Strategy Plan to remove weak links step-by-step, measuring progress over time – typically on a quarterly basis.

Threat Avoidance

This begins with software to prevent various forms of phishing combine with training. Insider Threats and Social Engineering Strategies are key to avoiding exploitation of weak links before they start.

Verifying the security of all your suppliers is another critical step to safety and to avoid threats before they happen. See https://cybyr.com/delegate.

Automation

Security and automation go hand in hand. Automate everything possible, especially the continual verification of device and software updates, access privileges, etc. Take special care with vulnerable IoT devices, ensure all assets are accessible to authenticated, authorized users. Be ready should problems occur, keep measuring and reporting your progress. Keep cyber-aware at cybyr.com/breaking.

Implementing Zero Trust

The following covers areas where the implementation of the principles of Zero Trust applies.

Zero Trust Strategy
Deploying solutions that embed the principles of Zero Trust is the only way to protect your data and services in 2024 and beyond. Applying the mantra of verifying everything is the mindset.

Microsegmentation
Implementation begins curating network and data assets to limit the attack surfaces by segmenting the network and microsegmenting data and tagging the data with allowable actions and authenticated actor access. All software from third-party software suppliers.

 

Least Privilege, Identity and Authentication

Threat Prevention begins with Least Privilege and Separation of Duties dictating the limitation of actions permitted after Identity has been authenticated with more than one method of authentication (MFA). 

For user actors Passkeys is definitely preferred but should also include location and time. Out-of-policy actions are a signal of threats, being detected.

Policy Enforcement 

Removal or blocking of threats takes place at Zero Trust Policy Enforcement Points. Typically, the policy is managed centrally and enforced locally at a variety of locations.

Continual Monitoring

Monitoring to continually verify compliance is a critical element of any Zero Trust implementation as is notification of any out of policy events.