Every year, the volume and severity of cyberthreats increase. In 2021 alone, they grew by 50 percent with enterprises receiving nearly 1,000 attacks per week on average. It’s no longer a question of whether your organization will be compromised, but when—and how much damage it will suffer as a result.
To keep all digital assets and IT systems protected, your company needs to maintain a strong security posture.
What is security posture? An organization’s security posture is the security status of all its networks, data, people, and systems; the resources it employs to protect them; and its ability to defend against attacks and quickly recover from them.
Why is security posture important?
Failing to pay attention to your organization’s cybersecurity posture can be costly, and no company and no industry is immune. Each hour of downtime due to an attack can cost ecommerce sites millions in lost sales. The average cost of a healthcare breach now exceeds $10 million. Failure to adequately protect financial information has cost banks hundreds of millions in fines. A third of all manufacturers were hit with ransomware attacks in 2021, taking their operations offline. And executives who’ve failed to pay adequate attention to cybersecurity have been dismissed.
Understanding your security posture—the assets you’re trying to protect and the methods you use to secure them—is as fundamental for business leaders as understanding the organization’s financial posture.
Types of security posture within an organization
A strong security posture involves evaluating and strengthening all aspects of a company’s digital operations and can be looked at through a variety of lenses:
- Network security posture: Ensures the protection of data, applications, devices, and systems connected to the network through measures such as next-generation firewalls that have more layers of security built into them.
- Data security posture: Relates to how organizations protect sensitive data from being corrupted, lost, or stolen.
- Cloud security posture: Assesses and mitigates risks from SaaS applications and cloud hosting providers.
- Identity security posture: Relates to how organizations authenticate users and manage access to sensitive systems.
- Third-party security posture: Maintains the integrity of data flows and system connections between a company, its suppliers, and other external organizations.
How to assess your security posture
Security threats can impact every aspect of your organization. You need a comprehensive understanding of your digital infrastructure and the impact successful attacks may have on your business.
To do so, you need to answer these four key questions:
- Do you have a clear view into all systems and applications your organization is currently running?
- Do you understand the threats facing your IT ecosystem and your vulnerabilities?
- Do you have automated tools and processes in place to detect and mitigate attacks?
- Could you continue operating after your company has been compromised?
10 steps to improve your security posture
1. Inventory all of your IT assets
You can’t protect all of your digital assets until you track down and identify them all. Studies show that more than half of cloud applications in use at enterprises are owned and managed outside of IT. Start with a full accounting of all your computing assets, including those currently in use and older systems with components that may still be in operation. An inventory audit must include all assets that connect to the network, as well as so-called shadow IT, digital assets used without the approval or knowledge of digital leaders.
2. Conduct a security assessment
Once you’ve inventoried your digital assets, assess the level of risk each one represents mapped against known and potential vulnerabilities. Such an assessment should also measure risk from your vendors, suppliers, partners, contractors, and service providers that have access to your internal systems or data.
3. Prioritize risks to business resiliency
Assets that are most crucial to business operations should be prioritized, and with more resources devoted to them. For a healthcare organization, that might be the electronic medical record systems, while an ecommerce site might value its customer database the most. Financial services firms may want to focus more attention on user authentication systems to prevent bad actors from impersonating known entities.
Once you identify the assets that are most crucial to business resiliency, perform a risk/benefit assessment on how much of your security budget you should devote to it.
As a CISO, my job is profit protection. I need to understand the threats against key lines of business and figure out the right levels of security needed to protect them.
4. Establish a consistent patching schedule
Software vendors are continually identifying and patching security flaws, but enterprises often don’t implement them for weeks or months after they’re issued. The typical time required to patch serious vulnerabilities ranges from two to six months, while attackers typically exploit such flaws within two weeks. Sticking to a consistent and relatively frequent update schedule will minimize the amount of time a flaw is exposed to attack.
5. Automate threat detection, remediation, and mitigation
A robust suite of cybersecurity tools is now a requirement for every enterprise. These include firewalls and anti-malware software, email and web filters, endpoint and network detection and response systems, and cloud security solutions. Increasingly, security teams are using AI-powered tools to surveil networks 24/7 and isolate potentially serious attacks for further investigation. Automating threat detection and mitigation creates a more proactive cybersecurity posture, and offers some relief for overworked, understaffed security teams.
6. Monitor critical security vulnerabilities
Cybercriminals are constantly adapting their means and methods of attack. To protect against evolving threats, your security team needs to continuously monitor and gauge whether your IT systems are vulnerable to new forms of attack. Threat intelligence feeds that distribute information on active exploits and cybergangs can help organizations proactively protect their networks and identify the latest threats.
7. Adopt a zero-trust framework
A May 2021 presidential executive order called for federal agencies to implement a zero-trust framework, which required all users of federal computer networks to be continuously authenticated when using network resources, and to only have access to the apps, data, and systems they need to do their jobs. This makes it much harder for attackers who have breached the perimeter to move laterally through the network. According to a September 2022 survey by Okta, more than half of enterprises have zero-trust initiatives currently underway, while many more plan to launch initiatives within the next 12 to 18 months.
8. Transition to a DevSecOps approach
Adopting a DevSecOps approach integrates security into the process of software development and deployment. Security personnel can quickly identify and mitigate potential vulnerabilities before code is shipped, avoiding expensive and time-consuming rework, as well as preventing insecure code from inadvertently being deployed in production. A key element of this approach is red teaming—looking at code from the point of view of an attacker to isolate its strengths and weaknesses.
9. Implement cybersecurity training for all employees
More than 8 out of 10 security breaches are the result of human error—from employees revealing their log-in credentials by phishing emails, a manager losing a laptop or phone containing sensitive corporate data, or an admin misconfiguring server settings to allow public access to proprietary intellectual property. Top executives in particular are prime targets for “spear phishing,” in which emails impersonate them, and other direct attacks seeking their access credentials.
Educating all employees in cybersecurity fundamentals can minimize an organization’s exposure to social engineering attacks and malware infestations, reducing its overall vulnerability. Simulated phishing attacks can identify which employees are most susceptible and in need of further training. Teaching employees how to recognize and report attacks can reduce response times—a key element in successful mitigation.
10. Develop—and practice—an incident management plan
It’s inevitable that your organization will eventually fall victim to an attack or suffer a data breach. Proactive security posture management requires having an incident management plan in place to identify, analyze, and resolve such critical incidents. The plan needs to outline the appropriate responses for each department head and detail their procedures and roles. Just as important, the plan can’t simply sit on a shelf—it needs to be practiced, via table-top exercises or simulated attacks, and be regularly updated as threats evolve.