Home  /  Empower and Protect  /  Establish a Cyber Risk Management Program with Cybersecurity Stepping Stones

Establish a Cyber Risk Management Program with Cybersecurity Stepping Stones

By Rick Tracy •  July 25, 2019

Want to establish a cyber risk management program, but don’t know where to start? Here are 18 security controls most organizations should consider implementing right now.

Not every organization is bound by regulatory requirements and the need to comply with hundreds of security controls. If your organization falls into that category, rather than trying to implement a mountain of security controls right out of the gate, focus on controls that are most important to your organization right now.

Many organizations simply have a desire to protect themselves from cyber threats, but don’t know how to get started. They are generally interested in preventing unauthorized access to their systems and data, and they want to take steps to avoid phishing, malware, and ransomware, but need help identifying and prioritizing appropriate controls.

Obviously, phishing, malware, and ransomware are not the full extent of security concerns, but addressing just these concerns offers great security benefit. That said, there are a handful of controls that will offer great security benefit right away and should be prioritized for implementation by organizations who fit the above profile.

Over time, as the organization matures, more controls can be implemented in a logical manner to offer additional protection. The key challenge for many organizations is figuring out where to start in a way that isn’t overwhelming. They need help prioritizing. Here are my thoughts for 18 controls that many organizations should consider implementing today:

In the chart, I relate 18 NIST SP 800-53 (rev 4) controls to NIST CSF functions for high-level context. I also relate the controls to the corresponding NIST SP 800-171 rev1 cybersecurity requirements, which may offer additional insights. As I mentioned, these 18 controls should be viewed as a starting point that can be built upon over time.

Two controls identified in the above chart are important for establishing a cyber risk management process:

  • PL-2: System Security Plan to document organizational boundary, mission, security objectives, etc.
  • CA-5: Plan of Action and Milestones, documented and prioritized remediation plans for controls that are not yet in place.

In my opinion, these two controls are essential for transforming what would otherwise be a basic controls compliance process into a lifecycle cyber risk management process. These two controls will become increasingly important over time as the cyber risk management process matures and more controls are added.

Once these 18 controls are implemented, there are number of additional controls that should be quickly added. One such control is CA-7: Continuous Monitoring. Continuous Monitoring is essential to ensure that security controls don’t drift out of compliance over time.

Remember, I’m not suggesting that these 18 controls are the end goal. Instead, they are just the first step for organizations that fit a specific profile. Let’s not fixate on what’s perfect or ideal from a security standpoint. Let’s dispense with the all-or-nothing security attitude. Instead, let’s focus on what’s good enough for now and can be expanded over time.

I believe we security professionals have an obligation to help organizations figure out how to start their cyber risk management journey in a way that doesn’t overwhelm them and allows them to derive some immediate security benefit. Let’s create cybersecurity stepping stones that are designed to help organizations calmly navigate the sometimes turbulent security waters.

Rick Tracy

Rick Tracy

Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

four × 1 =