The Blog
Introducing a Holistic Cyber Security Program

Introducing a Holistic Cyber Security Program

13th Jul 2018


Taken from our Ascot CIO Event, October 12th 2017

Matthias Muhlert, CISO, HELLA

Cyber Security Axiom

Cyber resilience is becoming a critical business and social issue for any organization with its continuous growths and modern IT

As more and more business value and personal information rapidly migrates to digital form, the risks from cyberattacks grow ever more daunting. Cyber resilience systems and controls to protect intellectual property, information assets and business continuity must be continuously on the agenda and a vital strategy for any organization.

Also the idea of cyber resilience in strongly supported by regulators who develop the policies to facilitate and defend technology, law enforcement agencies, and industry associations that work to share information and improve institutional security (IT-Sicherheitsgesetz).

  • An intelligent attacker will at a certain time defeat all defensive measures
  • Design defense to detect and delay attacks so you gain time to respond
  • Put layers in your defenses to contain attacks and provide redundancy in protection
  • Use an active defense to catch and repel attackers after they start, but before they succeed

Therefore the general goal for a Cyber Security Program is to improve the Cyber Resilience, meaning to improve on the ability of your organization

  • to prepare for and adapt to changing conditions
  • and withstand and recover rapidly from disruptions.

Process for the Setup

Obtain support of the Management Board

  • Making Information Security a strategic topic
  • Transferring the competences to the responsible
  • Granting enough resources

Treat it as a project

  • Cyber Security Program implementation is a complex issue involving various activities and various people from different departments

Define the scope

  • Define the Legal Entities to be in Scope
  • Define the organizational parts of the Legal Entities in Scope
  • Define the Processes to be in Scope of the organizational parts

Design the key areas of the Cyber Security Program

  • Define Key areas including objectives of the Cyber Security Plan

Design the controls supporting the key areas

  • Define controls including capabilities for each key area

Assessment of the key responsibilities and stakeholders

  • Identify the main stakeholders in your organization

Determine Status of Key areas and prioritize

  • Determine together with the stakeholder the status of the key areas using a risk based approach

Determine project organization

  • Set up and organize a project management

Agree on Road Map

  • Determine with the responsibilities, the milestones, work packages, and time schedule

Coming up with the key areas and associated controls

Main Tasks

  • Definition of Cyber Security Program with Key Areas selectively adopting controls/measures from international information security frameworks
  • Design of standard controls
  • Implementation of controls to all Legal Entities in Scope of the Cyber Security Program
  • Audit of sustainable use and implementation of controls

Key Areas

The Cyber Security Program should consist of 10 - 15 key areas. Topic/Key Areas definitely to consider:

  • Privilege Access
  • Network Security
  • Application Security
  • Endpoint/Server/Device Security
  • Asset management and Supply Chain
  • Data Protection and Cryptography
  • Monitoring/Vulnerability management
  • HA/DR
  • Incident Response
  • Identity and Access management

Topics/Key Areas possible to consider:

  • Policies
  • Audits
  • E-Discovery
  • Trainings

Key Area Objective and related Controls Capabilities (example)

Within the Cyber Security Program each Key Area has an objective that needs to be used as a guidance for the realization of the controls associated with the Key Area. To follow the information security controls characteristics, objectives should be compound of a preventive, detective, audit and forensic aspect. Each key area has a set number of controls associated with it. The controls are defined in terms of capabilities. Each control has to be put in place so that the associated threats with the key area are counteracted.


  • Attackers enter the enterprise through outbound network connections from servers or clients on the internal network.
  • Attackers enter the enterprise through the network connections of Internet-facing servers.
  • Attackers use internal networks to move laterally between computers inside the enterprise.
  • Attackers use enterprise networks to extract data and remove it from the enterprise.
  • Attackers take control of network infrastructure components and then leverage them to gain entry to the enterprise or to bypass other security measures.


  • The preventive objective is to block malicious traffic passing from one part of the network to another, or channeling that traffic so that is can be detected through other means
  • The detective objective is to monitor and analyze network traffic in order to detect malicious traffic while it is in transit
  • The audit objective involves analyzing network traffic in order to identify malicious activity or to generate artifacts indicating the lack of malicious activity
  • The forensic objective is to log information about network traffic, or possibly all of the network traffic itself, so that the network can be analyzed by detective controls, or to support investigations and audits

Controls with Capabilities

Switches & Routers- Switches and Routers must be hardened, monitored and controlled physically and logical

Software defined Networking- Software based network control in place to virtually steer the network

Network Time Protocol- Synchronized record timestamps in all systems to enable correlation of events

Prioritization Process

  • Step 1: High-level assessment, that focuses on key areas using expert judgment. Evaluating the risk associated with the key areas (Risk = Impact * Likelihood * Last Assessment)
  • Step 2: Detailed assessment on capabilities of security controls in regards to completeness
  • Step 3: Detailed analysis of the necessary technology to meet the
  • capabilities of the security controls
  • Step 4: Detailed analysis of the Impact from Legal Entities on your organization
Share this:
Request more information

You have missed out some details, please try again.

Your Name:
Job Title:
Company Name:
Please answer the above question to prove that you are human.

©2018 Global Business Intelligence | All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies. You can find out how we use cookies here.