Defining Mature Cybersecurity Processes with a CLEAR Model

Zach DeMeyer
June 20, 2023

With breaches running rampant in the news cycle, cybersecurity is top of mind for businesses today. The Biden administration is strengthening its stance against cybercrime with a new cybersecurity strategy, and businesses of all sizes need to take their own strategy and framework seriously.

In general, most cybersecurity frameworks consist of three aspects: people, processes, and technologies, or PPT. In this blog, we’ll focus on what you can do to mature your cybersecurity processes to keep up with threat actors' evolving tactics, techniques, and procedures (TTPs).

Determining and developing processes for cybersecurity

As established previously, PPT are the core building blocks of any cybersecurity approach. The people aspect involves expertise, accountability, and a shift in mindset and culture. Technology leverages hardware and software solutions to aggregate and automate security tasks among other outcomes.

Entwined with both people and technology, process is something that any organization needs to implement regardless of the maturity of their cybersecurity approach. Cybersecurity processes lay out best practices and procedures to be followed and adhered to. They apply both during standard business operations as well as after a cyber incident occurs. Processes are dictated and informed by the nature of the business and its critical assets. Beyond that, though, they are also dependent upon current TTPs, thinking about how the business may be attacked and how those attacks are to be defended.

At their core, security processes rely on consistency and repeatability to ensure that they can be continuously implemented as the organization grows and changes personnel. Doing so enables processes to be enforced properly, especially at wider scales. They also need to be documented, both to ensure repeatability but also to track KPIs to demonstrate efficacy to both stakeholders and compliance auditors.

Cybersecurity processes will vary from business to business, but mature cybersecurity processes share several key qualities no matter the business size or industry. Boiled down, the best security processes are CLEAR: Comprehensive, Layered, Engaged, Adaptive, and Repeatable.

Breaking down CLEAR processes

Comprehensive

Companies with mature cybersecurity processes are aware of what’s at stake and, subsequently, know where they are most vulnerable to threats. Their documented processes cover those aspects in detail but also keep in mind other parts of the business that can be affected by cyberattacks. It’s also important to consider both the upstream and downstream portions of the business and how they can be affected.

Those responsible for security must be passionate and engaged in the business’s cybersecurity posture. Continuous efforts must be made, both in establishing current processes and finding ways to improve upon them.

To reach this stage with your cybersecurity processes, it’s important to consider:

  • What cybersecurity processes do you currently have in place?
  • How are new and emerging technologies and threats accounted for in them?
  • Which aspects of the business have associated cybersecurity processes?

Layered

In today's threat landscape, many businesses will be involved in some sort of cyberattack, successful or not. Immature security approaches are reactive, acting only after the unfortunate event of a breach.

Your processes need to stay ahead of threat actors, using multiple levels to ensure coverage. Redundancy plays an important role, ensuring that several individuals are responsible for covering the same role. That way, if someone is out during an attack or even compromised in any way, the business still has coverage regarding their duties.

Another aspect of layering includes prioritizing budget allocations for expanding/optimizing the security technology stack, as well as investing in the best possible talent to fill the ranks of your security team. Security is a 24/7 game, so whether you have people on your team working around the clock or have outsourced that to a dedicated team, you need constant coverage adhering to your established processes.

Here are some angles to think about as you evaluate the layers of your processes:

  • Is our security team “always on” in case of an event?
  • Are we able to tie ROI to our security purchases?
  • What preparations are in place to act as soon as a breach is detected?

Effective

The best security practices are those that are specifically tailored to their business regarding both operations and outcomes. Using data and analytics, your processes should be tuned to be both effective and minimally intrusive to employees’ day-to-day activities. You should also be able to measure said efficacy, both during standard operations and after a security event, to identify successes and points of improvement.

One part of this is keeping your whole team engaged as well. Conducting regular security trainings ensures that the people in your company are aware of how important security is to the business. It also prepares those people to be ready and able to act when faced with a phishing email or other potential source of a breach. That way, they can work productively while also keeping security top of mind.

These questions will help you assess how effective your processes are:

  • What are our established, measurable KPIs?
  • Do we apply data, both baseline and right of boom, to our processes to cover all our angles and perform after-action reflection?
  • How often are we training employees on proper security practices, including routine tests/drills of their understanding?
  • Is everyone in the company on the same page when it comes to the severity of security?

Adaptive

Threat actors are constantly finding new ways to successfully breach organizations to steal, ransom, or manipulate critical business assets. Your cybersecurity processes need to be just as quick to adapt to the newest threats.

Continuously update and optimize your processes, taking in mind both the state of your internal team as well as recent and emerging threats. This also includes hearkening back to prior investigations, using the data and information gathered to highlight successes and identify failures.

Some considerations for adaptive processes include:

  • Do we update processes in real-time when new threats and TTPs arise?
  • Do we have a dedicated person for managing and maintaining our security processes regularly?
  • What is our post-incident process and how can we use it to shape and improve future processes?

Repeatable

Security processes are only as good as their documentation. After all, without codification, what are processes besides general guidelines you hope employees follow?

Meticulously documenting your security processes holds several benefits which were laid out earlier in this piece. The first is repeatability. When the team changes, new members can refer to the documented processes to ensure that they are acting in the best security interests of the business.

Beyond this, documented security processes are a major portion of many industry and governmental compliance regulations. Having your procedures laid out in a logical and easy-to-follow manner not only benefits your team, but also helps auditors quickly understand what steps you are taking to keep your business secure.

This benefit bubbles out/upward as well, especially for CISOs and IT services providers. Clear, comprehensive process documentation shows stakeholders like members of the board of directors or paying clients exactly what the security team is doing. This allows you to prove your efficacy from a security perspective as well, leading to proof of ROI or the demanding of premium MRR for your services.

These are some evaluations to ensure your security processes are repeatable:

  • Do we have all our security processes laid out in accessible repositories?
  • Is the documentation secured to prevent tampering or information leaks?
  • Can the processes be understood by the average reader as well as the more technically minded?
  • Have we improved upon our response times between incidents?

Maturing cybersecurity beyond processes

As you evolve your processes to be more CLEAR, it’s important to remember that process is only a third of the PPTs of a mature cybersecurity model. As your people and technology stack change, your processes will need to accommodate as well to ensure they still meet the CLEAR criteria.

If you want to learn more about how to mature your organization’s entire cybersecurity approach, read our eBook to see how you can climb our security maturity model curve, based on the NIST Cybersecurity Framework.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Todyl Success Story: IT Haven improves client satisfaction and security through consolidation
Calculating Cyber Risk Appetite
Breaking down the cyberattack lifecycle: Monetization

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.