If I had to build an IT organization from scratch, I would absolutely make an applicable security framework the backbone. Why? A security framework (such as NIST Cybersecurity Framework or CIS20) is a methodology featuring security controls that ensure not just a well-balanced security program, but also a well-balanced IT program.
Security is Woven into Every Functional Area of a Company
My understanding of the makeup of an IT department came atypically. I was in the United States Air Force when Uncle Sam desired that I become a network engineer. At that time, I couldn’t tell you the difference between an IP address and a subnet mask. It took me a couple of months to understand how those in the help desk, desktop team, virtualization engineers, Linux administrators, Windows administrators, network engineers, security engineers, and project managers all contributed to a functioning Information Technology organization. I observed that while all the verticals work together, they only interact at the edges of each particular service. The lone exception was security. Security is integrated into each and every other discipline, and for good reason.
In other words, security is the critical common thread. So, while not a conventional thought, but maybe not too surprising either, all teams across the IT department can benefit from a security-oriented tool. Specifically, I’m referring to security frameworks. Typically used to identify gaps, a security framework usually contains more than 100 controls that strengthen across the various areas of an IT organization. Implementation is typically driven by compliance, but, sadly, most organizations look for the minimum effort to save on time and investment. However, it’s those organizations that look to increase their security posture, and review a security framework to exceed the controls, that separate themselves from the vulnerable.
Not Just Any Security Framework: The Right Framework
It should be noted, not all frameworks are created equal. Some more closely resemble a speed bump than a high jump event. HIPAA/HITRUST is one of these low-bar frameworks. To illustrate, the password requirements for HIPAA is that an organization must have a password policy. That’s it. No details on what that password policy should consist of with regards to complexity, rotation, etc. Other frameworks have a narrow focus, like NIST 800-171 or PCI-DSS. PCI-DSS, well known for protecting credit card data, only pertains to Cardholder Data Environments (CDE) and many organizations ignore security practices in other areas of their network. NIST 800-171 likewise focuses on Controlled Unclassified Information (CUI) and does not apply to the entirety of the network. Choosing the right framework would positively impact the outcomes.
One of my favorite frameworks, because of how it is organized, is CIS20. CIS20 comes from the Center for Internet Security, also known for publishing the CIS benchmarks used as system hardening standards for various devices and operating systems. CIS20 is broken out into 20 high-level controls supported by a total of 171 sub controls. This framework further breaks the 20 controls down into three different sections: Basic, Foundational, and Organizational which illustrates the impact of those controls. Additionally, version 7.1 introduced implementation groups to assist with prioritization of roll out. The net result is that CIS20 presents a pretty self-evident roadmap to ensuring your IT organization is secure.
Security Frameworks Lead to a Better IT Department
What’s not so apparent, is this approach also helps help focus on and develop different areas of IT support that your organization could be expecting from you. Asset Inventory, Administrative Privileges, Monitoring, Email and Web Browsers, Data Recovery, Data Protection, and Incident Response are all addressed by the CIS20 framework. While it also covers more obvious security functions like Firewall, Security Awareness Training, and Vulnerability Management; focusing on that previous list will help address the needed services and structure and IT organization should leverage to offer a quality service to your organization.
Why would a security framework hit on some of these elements of IT delivery? It has a lot to do with a basic security concept called the CIA triad. CIA stands for Confidentiality, Integrity, and Availability. All three of these elements are considered critical to security. Losing one of these elements causes the three-legged chair to fall. Importantly, these goals should sync with the goals of an IT department as a whole. Making sure that services are available and reliable should be equally weighed with protecting information and ensuring the integrity is not lost.
While opportunities don’t come around often to build an IT organization in a greenfield scenario, leveraging a security framework can help provide a quick report card on gaps in your IT services. Based on the relationship between security and IT as a whole, closing these gaps will not only elevate your security posture, but also the level of service your IT department offers your organization.