How to Build a Security

Framework If You’re
a Resource Drained IT
Security Team
 3

10

11

12

Cy b e r se c u r i ty Fra m e wo r k Guide 2
Introduction
Being the manager of IT security means more than managing the security staff – you’re managing all of
your organization’s cybersecurity risks. With an infinite number of potential cyber risks, protecting your
organization can become overwhelming quickly if you try to enumerate all the risks and create a protection
framework on your own.

And that’s just the tip of the stress iceberg.

Risk is not the only thing that can overwhelm an IT security organization. Defending against every
possible threat vector can become a nightmare, especially in a time when businesses are relying on large
distributed complex applications, cloud service providers, and an increasingly remote workforce. On top
of all that? You’re dealing with the challenges of retaining skilled and overworked staff in the age of the
Great Resignation.

The retention challenge is real. Security teams are overworked from chasing false positives from threat
management systems that emit too many alerts. And they’re doing all this while struggling with a heavy
cloud hanging over their head – the fear of missing one of the increasingly complex and sophisticated
attacks against their organization and their vendor community.

Now let’s take a deep breath. Security frameworks can help you bring calm to the chaos.

Before we get to the good part, it’s important to first note that putting a set of controls in place based on a
list of best practices isn’t enough to manage cyber risk or the threats to the organization. Your organization
needs to approach both risk and threat management systematically. Now let’s get to the good part.

Two frameworks have emerged that can help you succeed in managing both cyber risks and the threats to
your organization.

Read on if you want to learn:

• The key security frameworks and standards for managing your IT security program
• How to manage the four key
areas of risk associated with security controls
• Key considerations for addressing cyber insurance, cloud security, and Zero Trust

Cy b e r se c u r i ty Fra m e wo r k Guide 3
Cybersecurity Frameworks and
Industry Standards

Two popular cybersecurity frameworks were created to help organizations get started in
creating and documenting their security programs.

One is from the Center for Internet Security (CIS) called the Critical Security Controls
developed in partnership with organizations that investigate data breaches. The Critical
Security Controls is the list of controls that would have stopped a breach had they been
present.

The other popular framework, the National Institute of Standards and Technology (NIST)’s
Cyber Security Framework, was defined in response to the President’s Executive Order 13636
to provide voluntary guidance to better manage and reduce cybersecurity risk. Both CIS and
NIST provide their frameworks without cost, and both are designed to help an organization
know the minimum controls needed to manage cybersecurity risks.

Here are a couple examples of additional standards you may need to incorporate as well.

If you accept payment for goods or services with credit cards, you’re obligated to comply
with the Payment Card Industry (PCI) Data Security Standard (DSS). You may not have to be
audited against this standard unless you process at least one million transactions per year.
But, if you take credit cards for purchases on your website, you’ll need to have this scanned
by an authorized scanning vendor (ASV) to ensure that your system is not vulnerable, and
fix any issues discovered. Failure to fix these issues may cause you to lose the privilege of
accepting credit cards.

If your company works with health care data, you will need to be compliant with the Health
Insurance Portability and Accountability Act (HIPAA). If your company uses technology in
support of this data, you will likely need to be compliant with the HITrust framework, which
was created by the health industry to govern how an organization becomes compliant with
HIPAA.

There are documents provided by the CIS to help you understand which of their controls
help you meet the requirements for either PCI DSS or HIPAA and HITrust. The PCI provides
documentation on how to use the NIST Cyber Security Framework to achieve compliance with
the DSS. The US Department of Health and Human Service provides a mapping from HIPAA
to NIST’s Cyber Security Framework. The official mappings help ensure that the controls
you’re putting in place not only remediate multiple risks but also achieve any regulatory
requirements.

All these standards presume that your organization is hosting the entirety of its technology
stack itself, but many modern organizations use cloud hosted resources. To help you
understand how to use the cloud securely, the Cloud Security Alliance has created the Cloud
Controls Matrix along with the Shared Responsibility Model.

When you use a cloud provider, they’re responsible for supporting part of your information
security, but you remain responsible for any breach. How much is supported by the service
provider depends on what kind of cloud vendor you use. The shared services model delineates
the breakdown of who supports what in the cloud.

Traditionally, an organization supported everything: Networking, Storage, Servers,

Virtualization, Operating Systems, Middleware, Runtime, Data, Applications, and Identities.

With Infrastructure as a Service (IaaS) you only need to support part of the Operating System,
as well as Middleware, Runtime, Data, Applications, and Identities. With Platform as a Service
(PaaS), you support Data, Applications, and Identities. And with SaaS, you only support
identities.

Now that we’ve covered the two key security frameworks, let’s dive into the details on what
you need to keep in mind as you build or refine your security program.

Cy b e r se c u r i ty Fra m e wo r k Guide 4
Managing
Managing the
the Key
Key Areas
Areas of
of Risk
Risk
All controls introduce risk to your organization, and some of those risks may be more
impactful than the risks they’re designed to prevent. This is why organizations need to do
more than just blindly implement the standards and why each information security standard
mandates that the organization considers risks when selecting their controls.

If the risk introduced by implementing a control is greater than the risks the control is
designed to remediate, you should find another strategy for addressing those risks.

There are four key areas of risk that have emerged in recent years that provide challenges to
any organization, especially those with resource constrained IT security teams:

• Threat Management
• Technology & Integration Management
• Cost Management
• Third-Party Management

Cy b e r se c u r i ty Fra m e wo r k Guide 5
Managing the Key Areas of Risk
Threat Management
The difficulty of managing threats is somewhat a matter of organizational scale.

Most organizations can’t afford to implement controls that remediate all threats to their
environment, and each threat represents a form of business risk. Even if you implement all
the controls needed to manage all the threats your organization will ever face – including
ones that are not yet developed – you still need the staff to handle the volume of alerts from
threat actor events (and the dreaded false positives).

Depending on your business sector, you may also have to manage complex, novel attacks
from nation states or other sophisticated threat actors. Which creates a dilemma: if you treat
all suspicious events as an attack, you may block or slow down legitimate business as many
of the alerts you receive even from a well-tuned security information and event management
system are false positives. This means you must have sufficient staff to investigate each alert
and coordinate a response or outsource this function to an organization whose job it is to
respond at scale to the volume, diversity, and complexity of threat events.

There are multiple ways to outsource threat management, each with their merits and
challenges. If you have web applications, one element that is readily outsourced is the
management of a Web Application Firewall (WAF). This is the most cost-effective way to
implement a WAF, as the WAF vendor will have sufficient resources to scale a response to a
Distributed Denial of Service (DDoS) attack, something even the largest organizations would
have trouble implementing.

You can also outsource event management from your infrastructure, even if that infrastructure
is cloud hosted. There are five kinds of vendors to consider:

• Managed Service Providers (MSP) offer their customers the outsourcing of their
technology. What’s important to note is that these providers are offering more than just
IT security management, so they’re not experts in IT Security.
• Managed Security Service Providers (MSS) offer their customers the management of the
technological aspects of an Information security program, and may also provide some
services, like security awareness training, which are non-technical.
• Endpoint detection and response (EDR) is focused threat management on the
organization’s endpoints.
• Managed detection and response (MDR) is an extension of EDR or extended detection and
response (XDR) where a vendor manages the EDR or XDR for your organization.
• XDR is an extension of EDR, where threat management includes more than just the
endpoint. It sometimes includes network and user-based threats among others.

Cy b e r se c u r i ty Fra m e wo r k Guide 6
Managing the
Technology Key
and Areas of Risk
Integration Management
Regardless of the services you choose to implement, it’s essential to define clear service level
agreements with specific hand-offs to members of your staff, as key decisions in incident
management will remain with your organization. We highly recommend having a member of
your service provider participate in incident response (IR) tabletop exercises.

As you acquire more services and technologies, one of the important challenges you will face
is ensuring that it all works well together. While certain vendors will form key partnerships
with other vendors, often the integration work is left to you. And this means using vendor
provided API’s. This is one of the many benefits of using a MSP, MSSP, or an MDR. They provide
an integrated technology stack. Value Added Resellers (VARs) often provide integration
services. It won’t matter if you have the best security tech stack in the world if you don’t
integrate it properly. That’s why getting professional help can be critical to your success –
scaling and securing integrated technologies is not a very common skill set.

Cy b e r se c u r i ty Fra m e wo r k Guide 7
Managing the Key Areas of Risk
Cost Management
Another challenge is cost management.

Good software and service providers are often expensive, as is staff. This is another area
where using a MSP, MSSP, or MDR can help. This will allow other organizations to absorb
some of the expenses of both the software and personnel involved in threat management –
probably the most expensive aspect of an information security program.

Most service providers charge based on volume. The more successful you are, the greater
the volume, the larger the costs. This can make it difficult to budget for many cloud service
providers because you can’t plan for a fixed cost. You should negotiate fixed annual costs
where possible, with cost reviews in advance of your renewal date to ensure full understanding
of the cost to renew.

While this will add cost, there are service providers who help you manage the costs of doing
business with key cloud service providers. These service providers tend to focus on vendors
providing IaaS with the cost savings of the service often paying for itself.

Another way to save costs can be to use an MSP who provides a level of management for your
cloud services, including cost governance, while also providing you a large suite of bundled
services. Use of an MSP can reduce the challenges of integration but will require you to use
the software they provide even if it’s not as feature-rich as non-supported alternatives. Like
an MSSP provider, an MSP will also help with threat management, though unlike an MSSP,
security is not necessarily an MSP’s specialty, and your quality of service may suffer.

Cy b e r se c u r i ty Fra m e wo r k Guide 8
Managing the
Third-Party Key Areas of Risk
Risk
Each service provider you work with adds to the challenge of managing your third-party
risk. The more you outsource functions to other organizations, the more vulnerable your
organization is to problems within those organizations – which are problems you can’t
manage.

Outsourcing is still the better strategy. You’re leveraging firms whose expertise is in their
capabilities, while freeing your firm to focus on what makes it special. Keep in mind that
if there is a data breach within your service provider, you may share in or bear the entire
burden of the breach.

Selecting a good partner for each service provided is essential. You will want to verify that the
firm you select is in good financial health, which means reviewing their financial statements
and audits. There are service providers that can help with this evaluation, but make sure you
can trust that service provider to evaluate the health of other service providers. Be thoughtful
as you build partnerships and don’t be afraid to ask questions.

On a similar basis, there are service providers who offer help with looking at the cyber
security part of third-party risk by looking at publicly available data of those firms. While their
salespeople will tell you otherwise, the data they have access to is often problematic. It’s
impossible to understand the security quality of Amazon Web Services (AWS), Google Cloud
(GCP), Microsoft Azure, Oracle Cloud, and so on from what is known about them publicly. The
security of their customers obscures what these IaaS vendors provide.

Better service providers should provide a combination of third-party audits of their

security posture and penetration tests of their service to you. These audits, however, are
of limited utility. A SOC 2 Type II report will show you the controls in place, but not report
on if they’re effective and often excludes the controls you care about such as application
security. Certification of compliance with ISO 27001 will guarantee that the controls in place
are effective, and the statement of applicability that will accompany such certification will
delineate what controls are in place to manage the cyber security risks of that organization –
but will be missing the description of how security is applied to the services offered.

The only completely effective approach is to audit the vendor yourself, if possible. All good
service providers will allow customer audits as part of their contract. If you don’t have the
resources to audit even the most critical service providers, ask for this right in your contracts
in any event. If you encounter a service provider that denies you the right to audit their
environment with proper notice at your costs, you should strongly consider avoiding them.

The audits conducted for a SOC 2 type II or ISO 27001 still provide tremendous value. If
the company you’re examining has a certification of compliance with ISO 27001, ask for a
copy of the penetration test and ask for the details on how security is applied to protect the
service, including the service data flow diagram that is included in a SOC 2 type II report.
If the company has a SOC 2 Type II report, ask for a copy of the penetration test, details on
how they integrate security into their software development life cycle, and how they manage
third-party risk.

Consider using service providers that offer third-party risk management to augment this
practice. These providers will give you visibility into how well things are maintained over
time.

Cy b e r se c u r i ty Fra m e wo r k Guide 9
Managing the Key Areas of Risk
Emerging Considerations
Along with the strategies outlined above, organizations should pay particular attention to
the following areas that are becoming increasingly important components of a modern and
effective cybersecurity program.

Zero Trust
The term Zero Trust means many things to many vendors. But the idea behind the origin of
the term is that no system should be more trusted than any other system just because of
its network location. Placing your computer on the office network will get you no more and
no less access than placing your computer on your home, hotel, airport, café, or any other
network.

While there are many ways to implement Zero Trust, we highly recommend reading NIST’s
implementation guidance. NIST recommends multiple approaches, but the ones that seem
to work best for resource drained IT security teams are to install an agent to monitor and
control your endpoints, use identity as your perimeter, and leverage an authentication proxy.

Some XDR/MDR/EDR services can be used as the endpoint management agent, while others
can’t. Look for services that not only protect your organization from malware, but also
enforce policies like requiring that laptops are patched.

Using as many SaaS services as possible, where there is no implicit trust, and using an
authentication proxy which uses SAML, auth0, and/or OpenID protocols to provide auditable
access to your SaaS providers is also an excellent path to Zero Trust. This will extend the use
of identity as your perimeter. MSPs often provide this type of authentication proxy as part of
their service or through a partnership with one of the many excellent vendors in this space.

Regardless, you are responsible for managing your organization’s identities, endpoints, and
threat events. Even when using a SaaS platform, you need to ensure that events impacting
your usage of the platform can be seen and responded to by your organization.

An MSP, MSSP, or MDR can be a key partner as they provide scalable and swift response to
threat events with a staff that won’t get overwhelmed by the volume, technology diversity,
and complexity of attacks. Choose one who will partner with your organization to share the
challenges of threat and incident management. Work with them to establish run books and
service level agreements that allow you to manage active threats against your organization.

Cyber Insurance
No control, no matter how well implemented by either your organization or a cloud service
provider, eliminates risk. At best, your controls will reduce the probability of an event, the
impact of the event, or both.

Remediation is also not the only strategy you can use to address risk. You can also transfer
some of the risk of an event, avoid the behaviors that places your organization at risk, or even
simply accept the risk of an event. Because a control reduces but does not eliminate risk, it
is wise to have Cybersecurity Insurance, and many organizations find themselves required to
carry this coverage. Carrying Cybersecurity Insurance is the easiest way to transfer some of
the risk of an IT security event.

Companies that offer cybersecurity insurance will require you to have a bare minimum of
controls or you will be denied coverage. While each insurance company will have lists of
mandated controls, some will offer discounts to your organization if you work with certain
cybersecurity partners. These partners should still be vetted by your organization as the
insurance company may not have recommended the best vendor in that space for your
organization’s requirements.

As an example, if your insurance company mandates use of an MDR, EDR, or XDR system that
uses machine learning, but your organization uses Apple computers, you’ll want to have an
EDR, MDR, or XDR system that uses user behavior analytics instead.

The Cloud
Using cloud service providers is a beneficial strategy for a modern IT security organization.
These service providers have teams with highly specialized skills in the services offered, with
unparalleled scalability.

No other strategy will provide better protection against a distributed denial of service
attack or capability to recover from a disaster. There are some unique challenges with event
management, a core component of threat management, but as this will be managed by the
service provider, they become an extension of your threat management capabilities. When
partnering with cloud providers you only have to worry about your portion of the shared
services model, along with a strong and well-defined escalation path from their organization
to yours.

If you use an MSP or MDR that can integrate their solutions with your other cloud service
providers, you may not need to dedicate many resources to achieve scalable threat
management. This can be a tremendous win (especially according to your finance team) as
their expertise eliminates the need for you to bring the skill set in-house and to cover the
hours needed.

Cy b e r se c u r i ty Fra m e wo r k Guide 10
Managing the Key Areas of Risk
To Sum it Up
Use the most appropriate security framework for your organization and consider working with
a VAR, MSP, or MSSP. They can help you integrate not only the various technologies used by
your lean IT security staff, but also the event logs generated by attacks against this technology
so that blended attacks against your organization can be correlated and responded to.

Work to identify a partner who can help you with cost containment and ensure that you can
get Cybersecurity Insurance.

Also, make good use of cloud services and Zero Trust to reduce the perimeter to your
organization’s endpoints and identities. This means selecting the best partners so that your
third parties help reduce the risk of doing business in the modern era.

Cy b e r se c u r i ty Fra m e wo r k Guide 11
About Cynet
Cynet is a provider of the world’s first end-to-end, natively automated extended detection and response
(XDR) platform – Cynet 360 AutoXDR™ – backed by a 24/7 MDR service. The platform was purpose-built
to enable small security teams to achieve comprehensive and effective protection regardless of their
resources, team size, or skills.

Learn More

Cy b e r se c u r i ty Fra m e wo r k Guide 12