By Need

By Industry

By Function

Cybersecurity & Risk Management

A CEO's Guide to Cybersecurity

As this year’s Cybersecurity Awareness Month is winding down, let’s delve into the concept of “defense in depth cybersecurity.” While every good Chief Information Security Officer (CISO) knows all about defense in depth cybersecurity, this blog post will outline what it means for a Chief Executive Officer—and why your business should use this multi-layered approach to cybersecurity.

Understanding Defense in Depth Cybersecurity

Imagine a grand castle. Its defense isn’t just its formidable gates but also the moat, the towering walls, and the vigilant guards. Similarly, defense in depth cybersecurity isn’t about a singular protective measure. It’s about having multiple layers, so if one falters, others stand firm against potential threats, safeguarding your data and workforce.

Typical defense in-depth cybersecurity strategies guard your data and employees using two distinct layers of protection:

1. The Application Layer

This is the topmost layer in the seven-layered Open Systems Interconnection (OSI) model used to describe information technology systems. Application Layer 7, as the name suggests, directly interacts with end user interfaces in the apps your employees use daily. So, a defense in depth strategy for cybersecurity must ensure those software applications your employees use every day are protected against security threats.

There are several proven methods that can help you defend this layer at your organization:

  • Use Firewalls: Essential for blocking unauthorized access, a firewall helps detect and thwart numerous attacks coming from the cloud. The log files generated by firewalls during these attacks are invaluable for spotting and analyzing suspicious activities to shore up your defenses after an incident.
  • Regular Software Updates: Keeping software up to date is vital to fix known vulnerabilities in your must-have enterprise applications.
  • Install Anti-malware Tools: These tools include antivirus protections and are your shield against malicious software on devices like servers or workstations.

Not every business can run solely using off-the-shelf software applications. If your company develops software either for in-house usage or to generate revenue through external licensing, then it’s imperative to use secure coding practices. To increase the security and quality of software releases, many companies have adopted DevOps practices that combine Agile software development with cloud-based IT operations.

An offshoot of DevOps that adds more security to the process is the GitOps framework. GitOps takes the best practices of DevOps and adds infrastructure automation with secure Git code repositories for a “single source of truth” for development teams. The GitOps framework is gaining popularity as a way to institute secure coding practices across onsite, nearshore, and offshore dev teams. However, GitOps can be complex to deploy and that’s why Blue Mantis developed Platform Engineering, our own GitOps platform delivered as a managed service. You can learn more about how Platform Engineering can increase your developer productivity without sacrificing security at https://www.bluemantis.com/blog/introducing-platform-engineering-the-future-of-cloud-native-it/

2. The Network Layer

This layer refers to layer 3 in the OSI model, and it is all about the technologies used to connect devices (sometimes known as “network endpoints”), applications, and users. It’s crucial for a defense in depth strategy to also connect this layer as well, because if compromised, attackers could then access the application layer, leading to catastrophic data breaches.

A good defense in-depth strategy protects your network layer using a combination of these methods:

  1. Identity and Access Management (IAM): This is a technology that ensures the right individuals in your business have access to the right resources at the right times. Microsoft Entra ID is a popular choice for deploying IAM because it integrates well with Microsoft 365 cloud services and the basic functionality is available at no cost.
  2. Zero Trust: This is a security framework that builds on IAM using a semi-paranoid “never trust/always verify” method for security. Zero trust requires that users must be authenticated using IAM, then only provides the users access to resources authorized as per their roles in the organization.
  3. Strong Authentication: The final link in the chain, authentication, is the process by which IAM and zero trust prove the user is who the user claims to be. To maintain a high level of security, businesses should require multi-factor authentication (MFA), strong passwords for users, and if budgets permit biometrics and hardware-based passkeys.

The Rewards of Defense In Depth

Think of defense in depth as a series of safety nets for your company’s IT infrastructure. Here’s what you stand to gain:

  • Enhanced Protection: Multiple layers mean there’s no single point of failure.
  • Adaptability: The strategy evolves with emerging threats, ensuring your organization’s defenses are always current.
  • Threat Mitigation: With layers addressing both external and internal threats, the entire network remains secure.
  • Compliance: Defense in depth can help meet various regulatory requirements. In the United States, there are dozens of federal-level regulations on data security such as the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry, the Payment Card Industry Data Security Standard (PCI DSS) required for any business that accepts credit card payments, and the new Security and Exchange Commission (SEC) rules on disclosing data breaches—which our own CIO wrote was coming back in March.
  • Detection and Response: Criminal hackers don’t keep office hours. Continuous monitoring ensures incidents are not only identified but also promptly addressed. The downside of this method is that it requires 24/7 monitoring by a security team. Blue Mantis offers options for managed detection and response (MDR) for businesses who do not have the internal IT resources to build their own detection and response team.

CEOs Should Prioritize Cybersecurity Beyond October

Most importantly, stay vigilant even after Cybersecurity Awareness Month is over. Deploying multi-layered cybersecurity isn’t just a recommendation, it’s a necessity for every business. CEOs can always work with their CISOs to understand what’s needed for their specific businesses—and CEOs who champion the need for cybersecurity defense in depth will be rewarded with more productive organizations. For those businesses who maybe haven’t elevated IT security to an executive-level position for budgetary or other reasons, I recommend a fractional or virtual CISO. These services provide executive cybersecurity leadership on-demand for significantly lower costs than a full-time CISO.

As outlined in the comprehensive guide above, defense in depth cybersecurity is more than a buzzword—it’s a proven approach to deliver robust protection for your organization. Contact us to learn how Blue Mantis can help implement defense in depth at your business.

Rob Fitzgerald

Field CISO Cybersecurity & Risk Management

Rob is the Field CISO of Blue Mantis and the former founder/CEO of Arcas Risk Management (acquired by Blue Mantis in March 2023). Rob specializes in cybersecurity consulting with a focus on developing and implementing cost effective, enterprise-class solutions for organizations of all sizes. He is passionate about developing cybersecurity talent while ensuring organizations of any size have access to experienced cybersecurity, risk management, and compliance resources.