The First Step, The First Time (part 1)

(This blog post is the first of two; the second one is here.)

You are an organization without any formal Cybersecurity Program (CSP), but you have decided that the time has come to remedy that lack. What do you do now?

The first thing you do is review that basic concepts behind Cybersecurity (C/S), which we assume that you have done by reading the appropriate posts of this blog. That means that you are familiar with these pillars from the NIST CSF:

Identify, Protect, Detect, Respond, Recover

As a quick review, here are the concepts we will use in this post, presented in a form that is meant to show you how these concepts relate to each other:

The obvious way to approach this process would be to start with Identify, and work your way through the list to Recover, but that is actually not what we recommend when starting from scratch.  Instead, we recommend that you take stock of what you are already doing. In effect, we recommend that you start with Detect and work backwards through Protect and Identify, then forwards to Respond and Recover.

The great thing about what you are already doing is that you are already doing it. You have implicitly chosen some assets to protect and created policies to protect them. We want to make this process as painless and effective as possible, so we will build on what you are already doing.

To be more specific, our recommended is approach doing Detect for the first time is this:

1. Cyber Defenders make a list of what they are doing; these are the _procedures_.
2. For each procedure, explain what constitutes proof, eg "look in log, count bad things."
3. For each procedure, identify the asset being protected, eg "the file server."
4. For each asset, identify the risk being mitigated, eg "unauthorized accessing of file server."

To finish off Detect, you have to make sure that whoever supervises the Cyber Defender understands the proof, because it is not enough that the Cyber Defender believe that she is doing the right thing: she must also convince her supervisor that the right thing is being done. This allows confidence to move up the chain of command and to link the Cyber Defender at one end with all of the management above her.

Now you have finished Detect and are ready to back your way into Identify and Protect before you tackle the combination of Respond and Recover under the "Incident Response Plan" umbrella.

And there you have it: how to start putting together a CSP built on top of whatever you are doing already.

The next blog post is the next and final part of how you start.