I’m going to speak more generally about our IT security path at NCIGF. There are a bunch of ways it can be done, some bad, some better than others, but what we did felt very organic in that what we did at each step felt like the next right thing to do.
We started with IT Audits: every year for three years straight, with the same company. And every year, the same types of issues would get identified. The firm would come in, run an general controls audit, pen test, do a social engineering test, look at our policies and give us very similar reports: patch that, this has a vulnerability, this user got phished, develop a comprehensive vendor management policy, etc. After year two I found myself getting frustrated – we were doing things but we weren’t making progress, and I couldn’t figure out why. For us, it was partially a staffing issue: we had two developers and me, the CIO, working on insolvency stuff, plus one engineer who also did helpdesk. Some of the security stuff was delegated to a developer, mostly automated patching of Linux systems, and our Backup/DR/BCP was outsourced to a consulting agency, but no one was doing it full time. My main engineer was running around putting out fires, but we weren’t making progress. I reached out to someone who did our first IT general controls audit and brought him on as our Virtual Information Security Officer (VISO)
The first need was a helpdesk person so that my engineer could focus more on IT security. We hired a college student studying computer science part time for that. The VISO then helped us build a more comprehensive security program to stop the same things from coming up in the audit reports year after year: get automated phishing and security training for users, buy something that does automated vulnerability scans/reports, create and follow a patching strategy (patching/reboots on Sunday afternoon), more robust monitoring, log aggregation, and, finally, build a security dashboard – what we call our KRI or Key Risk Indicator, product. We took a year off from audits and accomplished all that in 2017. We then brought in a different IT audit firm for 2018 and, lo and behold, things were much better. We were finally seeing different kinds of problems instead of the same problem, with different manifestations.
The main takeaways from this year’s audit was: Web of Trust and Managed Security Service Provider/Managed Detection and Response (MSSP/MDR). We’re in talks with several MSSP/MDRs right now, with the intention of implementing one of them in 2019.
That’s the path I’d recommend, with a couple modifications. You might not need a VISO if you follow the steps outlined above and you don’t need to roll your own security dashboard if you get an MSSP (KRI is still super useful tho – I’ve got it displayed in my office and look at it daily). VISO’s are good for other things, particularly with helping set strategy and provide guidance. The VISO also holds me accountable to the NCIGF Board, like a checks and balance. The reality is that no one outside of IT has any idea what goes on in IT, but from a security perspective, you really need someone holding you accountable to the people on your board with skin in the game. That’s the real value of a VISO long term – ongoing accountability.