This week alone brought not one, but two high-profile breaches: Marriott International hotel chain and Atrium Health, impacting an estimated 500 million and 2 million people, respectively. As a result of the current security climate, an increasing number of IT organizations are offering cybersecurity products and solutions. But, there's an important distinction to be made between an experienced and credentialed security team, and an organization that offers basic security add-ons to IT services. With 10 questions, you can quickly determine if a security team or virtual CISO is well suited to take on the task of protecting your company's critical information.
1. What makes your team qualified to protect my company's network?
The security team candidate should have a multitude of reasons why their team is qualified. Some of the reasons should include:
2. Aside from protecting my network, what happens if my network is breached?
Beware of security teams that do not have experience in incident response. If a security company has not responded to network breaches and incidents, it is likely that the team lacks the vision required to successfully thwart an attack. Furthermore, if your security team does not have experience in these types of situations, it is highly unlikely that they know how to adequately protect your network and company.
Also, availability is key. Ensure that the team has adequate bandwidth to dedicate themselves to a network breach if one should occur. The last thing that you want to have is a breach and no security team available to respond. Network breaches must take precedence over other functions.
3. *If my network is breached, what steps does your team take to ensure that all regulatory/legal requirements are addressed?
The team should have an active incident response plan that includes legal counsel avenues and a fully developed communications plan. *The team should advise you that if a network breach occurs, contact legal counsel within the early stages and use discretion. If a security team does not relay this, then this demonstrates a lack of experience and should be noted. Experiencing a breach and having rumors circulating around your company does not bode well—ever. This can severely damage the reputation of the company and, as a result, have significant financial ramifications.
4. Aside from relaying information about vulnerabilities, can your team actually demonstrate how to fix such issues?
You do not want a security team that relays boring vulnerability reports. Anyone can stand up a scanner and relay pre-canned reports. Your security team should be able to assess findings, couple them with your unique organizational landscape, and show you the way to identify risks, prioritize, and execute/fix.
5. What happens after an incident has been responded to and mitigated?
A: If the security team gives you a generic answer, such as "patch the vulnerabilities or review the firewall", ask them to leave, politely. An experienced security team should know that after a breach has been mitigated, it is critical to perform a "lessons learned" exercise. This is paramount to ensure that the gaps are identified and closed.
6. What happens if we find malicious code on one of our systems?
If the security team tells you to run an antivirus program and call it a day, ask them to leave—again. An experienced team should know that often times, symptoms of a breach do not come to light for some time. When a system is found to have malicious code or is otherwise compromised, this could potentially mean that other systems are infected. It is critical to understand how, what, where, why, when, and who compromised a machine. Was it a disgruntled employee? What was the code doing? How long was it there? What information could have been exposed? How did it get there? After all of these questions are addressed, fix it, and ensure that the path to compromise no longer exists.
7. We need to become compliant with regulatory requirements, will an audit suffice?
If the security team is serious and passionate about their trade, they will likely tell you that when security comes first, compliance is inevitable. Great security teams not only fully understand regulatory requirements, frameworks, and laws (HIPAA, PCI, DFS, DFARS, SOX, GLBA, NIST 800-53, NIST 800-171, etc) but they also understand trusted best practices for implementing a robust security posture. When security teams become the caretakers of a company's network, they must implement security best practices with regulatory design in mind. If a company must abide by HIPAA, PCI, and SOX, etc, then the security team should map out the requirements and bring the best-of-breed to the table.
8. What exactly does cybersecurity entail?
If the security team responds with, "cyber-security is firewalls, antivirus, intrusion detection, etc", then they are not ready to protect your company. Cybersecurity is much more. It is about people, processes, and technology, and even more.
Great security teams are able to breach companies without ever touching a keyboard. People must be trained, follow secure processes, and embrace a culture of cyber-security.
Processes must be tailored to compliment security. From human resources to janitorial services, all processes must be considered. Disposing of sensitive information in open trash cans, processes for sending wire transfers, and even employee terminations should be some of the items on the list.
Technology should not include the A-listers only. It is imperative that all things must be considered. Firewalls & antivirus are on the list. However, technology should encompass all areas of the company to include every layer of the OSI model. Servers, desktops, applications, databases, mobile devices, network-connected cameras, HVAC systems, and even IP controlled thermostats should make the list. Simply put, anything that can be used by a hacker should be secured.
9. Can you guarantee that we will not be breached?
If the security team answers "yes" to this question, it is on to the next candidate please. However, if the security team tells you that they have a 100% protection rate thus far, then that is fantastic. The fact of the matter is that almost all companies have been compromised, most of them just don't know it yet. The security team should employ trusted principles, best-practices, competent people, and leverage secure technology. The question should not be how a company can guarantee that a breach will not occur, but rather how they can respond to a breach.
10. When can your team start?
Outstanding cybersecurity professionals don't treat their trade-craft as a job. They eat, sleep, and breath cybersecurity. By the time that a true cybersecurity team walks through your doors, they have likely already begun to observe your company, discovered vulnerabilities, and have recommendations for you.
They noticed that your reception area does not have a security guard.
They noticed that you do not have cameras inside the building.
They noticed that employees allow others to piggy-back into the building behind them without swiping their RFID card.
They noticed that your corporate wifi is not locked down with a password or encrypted.
They noticed that your employees leave their desks with their screens unlocked.
A great security team should tell you, "we have already started".