IT Security: A Practical Approach

Christopher McCarey, Director of IT Security for Gila River Hotels & Casinos – Wild Horse Pass, Lone Butte and Vee Quiva

Christopher McCarey, Director of IT Security for Gila River Hotels & Casinos – Wild Horse Pass, Lone Butte and Vee Quiva

Vulnerabilities. Data Breaches. Ransomware. In a world where a hacking activity takes place every 39 seconds, it’s easy to get trapped in a cycle of chasing the latest cybersecurity threats. But rather than putting your organization in a frenzied panic, consider taking a practical approach to your security program to help ensure a solid foundation and mitigate risks.

No matter what industry you are in, strategic planning and a relentless adherence to a written standard of technology is paramount. Start building your cyber defense wall with these practical steps:

1. Create a Strong Team

It’s important to identify the personnel, whether an internal employee or a security partner, who will be responsible for pushing your program forward. Even with a partner driving your security program, a security champion should be identified internally who can be part of the crucial conversations that happen daily to ensure new initiatives are being communicated to your security partner.

2. Conduct an Internal Audit

What are the most valuable and critical assets to your company? This is the same question that malicious actors will ask themselves when they are casing your organization, whether it’s during reconnaissance or even if an endpoint or process has already been compromised. Yes, even processes are assets in your company, and they should be under the same scrutiny your security team uses for securing systems.

Identify the systems (servers, databases, file shares, cloud services, etc.) that hold the data that is most critical to your organization. In tandem, identify the processes that are around all financial transactions.

An internal audit, for example, can help you assess how you’ve been monitoring logs for malicious activity. You can’t detect anomalies in your environment if you aren’t collecting the logs.

3. Set Goals and Define Policies

The adage “walk before you run” still rings true, especially when managing vulnerabilities. Setting goals and defining policies will help you navigate through complex challenges as they arise. A good example of this is patch management. When was the last time each of your systems received an update? Patch management is a critical component for any organization’s security posture. Your policy should outline what systems are patched, how frequently they are patched, and how you audit that the patches were deployed successfully. Frequency should be set to an achievable goal at the offset of your security program and reduced as the patch management process is matured.

4. Educate Employees at All Levels

Phishing and social engineering attacks are increasing 16 percent each year – do your employees know how to spot clever hackers? Security awareness training does not have to be an expensive endeavor with painful, rushed rollouts to the entire organization. Start simple with a monthly newsletter that includes important security tips. If you have the luxury of a marketing department, partner with them to help communicate a memorable message to employees. For example, a personal favorite of mine is “Trust but Verify.” Remember that people are your weakest link, and when it comes to cybersecurity and dealing with important or sensitive information and financials, it is always a better idea to over-communicate.

5. Evaluate and Adjust

The foundation of cybersecurity is built upon repeatable tasks that when done consistently, reduces your overall risk footprint. It’s important to ensure that as your journey continues you are auditing yourself along the way. Are all the new assets being classified? Are you analyzing new processes as they are implemented to ensure security risks are being addressed?

Although an internal mechanism should be in place to verify that processes are being followed, a third-party audit from a trusted partner will help mature your practice and ensure nothing is slipping through the cracks.

Once you’re proficient at the practical steps in security, the next iteration should be selecting a framework and closing additional gaps in your security practice. Some of my peers may argue that this should be done first, but I believe the superior security frameworks that are available, such as offerings from NIST, ISO or CIS, should be brought into play once you’ve established the basics.

The rollout of a successful security program is no different than the rollout of any other large project in your organization. It requires executive buy-in, dedicated personnel, a structured plan, and accountability. Your early wins should be celebrated, and a positive mentality kept during the execution of the project. When failures occur, embrace them, and push your team forward documenting these items along the way. Revisit them during your progress meetings and turn them into wins where opportunities for improvement were identified and successfully implemented. Keeping a positive mindset throughout your organization towards your security program will ensure the long-term viability of your practical approach to security.

Read Also

Improve Diversity and Cybersecurity Hiring in One Fell Swoop

Improve Diversity and Cybersecurity Hiring in One Fell Swoop

Michael Carr, JD, CISSP, CCSP, CIPP/US/E Adjunct Faculty, Cincinnati State and Andrew Opare, Security+, Ohio Army National Guard
Businesses at Risk: Survey Exposes Gaps in Crisis Readiness among UK Firms

Businesses at Risk: Survey Exposes Gaps in Crisis Readiness among...

Jim Steven, Head of Crisis & Data Breach Response Services, Experian Consumer Services
Ingredients for Success in Transformation

Ingredients for Success in Transformation

Eric Martin, Vice President, Information Technology and Digitization, Groupe Deschenes
Implementing an Identity and Access Management Program

Implementing an Identity and Access Management Program

Devan N. D’Silva, Manager, Identity and Access Management, Vice President, Baird
The Hidden Risks of Work From Anywhere

The Hidden Risks of Work From Anywhere

Joshua Brown, VP and Global CISO at H&R Block