How to Build an Enterprise

Cyber
Security
Framework
TABLE OF
CONTENTS
Introduction 01

Planning and getting your priorities

straight 02

Learning evolving threat vectors 04

Building the right framework 06

Skilled workers are the key to cyber

security success 09

Conclusion: The time is now to plan for

enterprise-wide cyber security
data analytics 11
INTRODUCTION
As companies increase their reliance And most of all, you’ll need to be
on technology and embrace digital sure that your cyber security teams
transformation to make their are fully trained with the right skills
businesses more profitable, the to keep pace with fast-moving threat
role of cyber security professionals vectors and a rapidly changing
has never been more vital. Building technology landscape.
a comprehensive cyber security
architecture for your enterprise has Here, we provide you with a simple
become not just an IT imperative, and straightforward roadmap to
but also a corporate imperative. building an enterprise cyber security
With so many assets at stake— framework.
from proprietary technologies and
intellectual property to customer
and employee information,
financial assets, and mission-critical
applications— it takes a holistic
strategy that encompasses a wide
range of IT and cyber security
technologies and best practices.

The question is: what steps must

you take to ensure the architecture
you put together is a viable one?
Success lies in your ability to
define the appropriate frameworks,
architectures, and tools that work
best for your specific needs, all with
hardened security measures and risk
mitigation as the cornerstones. You
must be sure to address a range of
regulatory compliance mandates to
validate the safety of your security
apparatus, and align security
frameworks with business strategies
and corporate objectives so the
management team is satisfied.

1 | www.simplilearn.com
1. PLANNING AND
GETTING YOUR
PRIORITIES
STRAIGHT
A good place to begin your information security planning is to
know where your priorities currently are, and where they should
be. IDG recently conducted its third annual Security Priorities
Study to learn what types of security projects companies are
focusing on and why. The survey looked at challenges and
strategic responsibilities that IT and security executives are
addressing, and where they are allocating their budgets. Among
the key findings:

The top two security priorities were improving protection of

sensitive data (59 percent) and increasing security awareness
in the organization (44 percent).

Half of all execs are seeing security budgets to increase

this year.

Companies overwhelmingly employ a chief security officer

(CISO or CSO): 88 percent for large enterprises, 51 percent for
small and midsize businesses, and 69 percent overall. That’s
important for ensuring that you have executive sponsorship
for your initiatives.

The most popular cutting-edge fields they are investing in

are Zero Trust technologies (47 percent), deception
technology (40 percent), and behavior monitoring and
analysis (39 percent).

2 | www.simplilearn.com
It’s also important to address business growth and alignment as
you put your plan together. Like it or not, IT security is usually
put together over a long period of time, as companies implement
different technologies and tools from different vendors and roll
them out as needed. The problem, of course, is that you develop
silos in your infrastructure, with different operating policies and
security protocols, which increases complexity and makes it
difficult to establish a cohesive series of best practices.

That’s where a business alignment plan comes into play. Some

best practices were outlined in a recent report:

Evaluate your current IT security investments and see how

they are working with each other—such as how they handle
data exchange and if security is consistent across silos.

Map out what a fully integrated architecture would and should

look like, including which processes can be improved with
integration and what the ROI would be.

Prioritize your initiatives into an action plan that initially

focuses on quick wins (fast benefit with minimal investment)
so that you can get vital buy-in from key stakeholders sooner
rather than later.

The better initial planning you do up front, and the more you
are able to align IT security cross-enterprise with existing
technologies, the more effective your framework will be.

3 | www.simplilearn.com
2. LEARNING
EVOLVING
THREAT VECTORS
The critical need for a strong enterprise information security
framework is born from a rapidly growing range of threats from
hackers and cybercriminals. In most cases, they’re driven by financial
gain (from selling hacked information, credentials, trade secrets and
other assets), but some hackers just can’t resist the temptation to
break and enter.

Annual losses related to cyber

crime are projected to reach
$6 trillion by 2021, according
to Cybersecurity Ventures.

In the months following the Covid-19 outbreak, online threats

have risen by as much as 6x the usual levels as the pandemic
provides new cover for cyberattacks, according to InfoSecurity
Magazine. Phishing attempts, in particular, were a popular threat
vector recently, up 600 percent, including impersonation scams,
business email compromise (BEC) and extortion attacks. Among
other threat vectors that have become part of the cybercriminal
game plan:

4 | www.simplilearn.com
Cloud Infrastructure:
The Oracle and KPMG Cloud Threat
Report 2019 reveals that cloud
vulnerability will continue to be one of
the biggest cyber security challenges
organizations will face. Enterprises
are increasingly using cloud apps to
run things like customer support and
sales, as well as store customer and
employee information in the cloud,
making it a key target to penetrate.
The report says that 59 percent of
companies have had privileged cloud
credentials phished, and 75 percent
have had data loss from the cloud.
IoT Threats:
According to the Symantec 2019
Internet Security Threat Report,
IoT attacks are rapidly evolving in
sophistication, including bots and
worm attacks that target smart
devices, and industrial control
systems that threaten critical
infrastructure and public safety.
Gartner predicts that more than 85
percent of successful attacks against
user endpoints in the enterprise will
come from exploiting configuration
and user errors by 2025.
Phishing:
A report by Verizon shows that
phishing was the #1 threat in 2019
and will continue to be a huge
threat in 2020, thanks to its high-
reward, minimal investment
approach for cybercriminals.
Cyber AI:
While on the one hand artificial
intelligence (AI) is aiding the
fight against cyber threats by
quickly detecting fraud and risk,
it is also providing a new tool for
cybercriminals. What’s known
as “adversarial AI” works just as
effectively to identify vulnerabilities,
helping bad actors to sharpen their
attacks on infrastructure. AI can
be trained to recognize intrusion
signatures (digital footprints) left
behind by hackers, for example,
when they attempt to access your
systems, then act in real time to stop
them in their tracks.
5 | www.simplilearn.com
3. BUILDING
THE RIGHT
FRAMEWORK
Implementing information security has become a well-honed
science. What’s commonly known as enterprise information
security architecture (EISA) is “the practice of applying a
comprehensive and rigorous method for describing a current
and/or future structure and behavior for an organization’s
security processes, information security systems, personnel, and
organizational sub-units so that they align with the organization’s
core goals and strategic direction.” According to Tenable’s
Trends in Security Framework Adoption Survey, 84 percent
of organizations in the US address meeting cyber security
regulations with specific security frameworks, and 44 percent use
more than just one.

6 | www.simplilearn.com
EISA frameworks should address National Institute
three key areas:
of Standards and
Integrity: Ensuring that there Technology (NIST)
is no unauthorized access,
transmission, or changing of The NIST Cybersecurity Framework
is voluntary guidance for companies,
systems or data under any
spanning standards, guidelines, and
circumstances.
best practices to better manage and
mitigate cybersecurity risk, as well as
Confidentiality: Taking steps to
improve communications between
maintain the confidentiality of internal and external stakeholders
critical systems and data so those by creating common risk language.
who are not authorized cannot The framework consists of three
access it—this includes both main components:
digital and physical access.
Core: Creating a set of desired
Availability: Establishing business cybersecurity activities and
continuity of network systems outcomes using language that
before, during, and after a cyber is easy to understand
incident, with the goal to limit
system downtime and recover Implementation Tiers:
quickly from an incident. Determining the right
level of rigor for different
Fortunately, a number of key security programs
EISA frameworks have already
been developed that meet core Profile: Aligning organizational
standards and help companies goals with risk appetite and
achieve compliance with regulatory
resources to reach the
mandates. In fact, according to the
desired outcomes
IDG 2019 Security Priorities Study,
two-thirds of companies say that
compliance was a key driving factor
for their security spending. Following
are some of the most common
frameworks and data security
mandates to help guide you:

7 | www.simplilearn.com
PCI DSS
Particularly in the era of online
transactions, Payment Card Industry
Data Security Standard (PCI DSS)
was designed to “enhance global
payment account data security
by developing standards and
supporting services that drive
education, awareness, and effective
implementation by stakeholders.” It is
a multi-faceted standard that spans
security policies, procedures, network
architecture, software design, and
other areas to ensure organizations
can proactively protect customer
credit card and account information.
ISO 27001
The ISO 27000 family is an
international set of standards for
information security management.
ISO 27001 is defined as helping to
“manage the security of assets such
as financial information, intellectual
property, employee details, or
information entrusted to you by
third parties.” The guidelines provide
specific steps for companies to follow
and ultimately helps grow customer
confidence in your ability to protect
their information.
General Data
Protection Regulation
(GDPR)
The 2018 General Data Protection
Regulation (GDPR) mandate was
created to protect the personal
information of every European Union
citizen. Companies must comply
with this law or be subject to fines
of up to 20 million euros. The law
forces companies to reexamine
how customer data is collected,
processed, stored, and deleted.
Control Objectives
for Information and
Related Technologies
(COBIT)
COBIT was developed by the
Information Systems Audit and
Control Association (ISACA) to help
organizations manage information
and technology governance by
linking business and IT goals,
spanning audit, compliance,
operations, and risk management.
8 | www.simplilearn.com
4. SKILLED
WORKERS ARE
THE KEY TO
CYBER SECURITY
SUCCESS
Your enterprise information security framework is only as good
as the people who envision it, build it, maintain it, and improve it
to ensure growing threats are kept at bay. Unfortunately, as fast
as the cyber security field is growing, there is still a shortage of
qualified professionals who can fill needed roles. Forbes recently
reported that there will be 3.5 million cyber security jobs left
unfilled by companies in 2020. That’s more than three times the
number that went unfilled just six years ago.

Upskilling and re-skilling are important components of your EISA

strategy, and advanced certification training is readily available
for every level of role you’ll need to fill. Top certs include:

CISSP
CISSP, or the Certified Information Systems Security
Professional, has long been considered to be the gold standard
in the field of information security. Senior cyber security
professionals pursuing the CISSP degree are trained in eight
distinct areas to protect their IT infrastructure, including security
and risk management, asset security, security architecture and
engineering, communication and network security, identity and
access management, security assessment and testing, security
operations, and software development security.

9 | www.simplilearn.com
Certified Ethical security programs and broader
business goals and objectives, so it
Hacker (CEH) is considered a strategic certification
for people who can lead cyber
For many organizations, their ace in
security teams.
the hold might just be the Certified
Ethical Hackers (CEH). As well
trained as many cyber security
professionals are, they are usually CISA
playing catch-up against hackers and
When it comes to auditing and
cybercriminals that have financial
governance, there is no better
incentive and extensive experience to
place to start than the Certified
stay at the top of their game. That’s
Information Systems Auditor (CISA).
where certified ethical hackers come
CISA certified professionals are able
into play.
to identify and assess vulnerabilities,
perform security audits, and report
Ethical hacking is the process of
on compliance and institutional
testing infrastructure vulnerabilities
controls, making them critical players
by using the same techniques that
in governing IT. Achieving compliance
malicious hackers do, but in a legal,
with the General Data Protection
legitimate manner. The results of a
Regulation (GDPR) is a great example
CEH professional’s testing can then
of where CISA professionals can
be used to proactively enhance the
apply their skills.
strength of an organization’s defensive
cyber security posture. Ethical hackers
learn to investigate vulnerabilities in
target systems, assess security status
CompTIA
of network systems, and master the The CompTIA IT certification is
latest hacking tools, malware codes, instrumental in pursuing most
and other tactics that hackers use successful careers in IT, helping to
every day. validate the use of hardware, software,
mobile and OS technologies in
complex IT environments, and in both
CISM wired and wireless networks. Since
CompTIA certifications are vendor-
Certified Information Security
neutral, the CompTIA certification
Manager (CISM) is another key
leads to a broad array of skillsets to
certification for IT professionals who
qualify for a variety of IT positions.
manage, design, oversee, and assess
enterprise information security.
CISM certified individuals must
demonstrate a deep understanding of
the relationship between information

10 | www.simplilearn.com
CONCLUSION:
THE TIME IS NOW
TO PLAN FOR
ENTERPRISE-
WIDE CYBER
SECURITY
Planning can make all the difference in the world of IT and cyber
security, and the results can be felt all across your organization.
Accenture reports that by prioritizing infrastructure and
technology for cybersecurity protection, you can reduce the
ultimate consequences of cybercrime and unlock future economic
value, as you develop higher levels of trust (and grow business)
with customers and partners. Start building your enterprise-wide
security team and architecture today and you’ll see how fast the
benefits will appear.

11 | www.simplilearn.com
INDIA
Simplilearn Solutions Pvt Ltd.
# 53/1 C, Manoj Arcade, 24th Main,
Harlkunte
2nd Sector, HSR Layout
Bangalore - 560102
Call us at: 1800-212-7688

USA
Simplilearn Americas, Inc.
201 Spear Street, Suite 1100,
San Francisco, CA 94105
United States
Phone No: +1-844-532-7688

www.simplilearn.com