Cybersecurity (or cyber security) is the practice of reducing cyber risk through the protection of the entire information technology (IT) infrastructure, including systems, applications, hardware, software, data, users, and identities. Information security (InfoSec)—or data security—is a chief component of cybersecurity and entails ensuring the confidentiality, integrity, and availability of data and other types of information.
Cybersecurity leverages a growing number of tools, methods, and resources that help organizations and individuals alike increase their cyber-resilience, meaning the ability to prevent or withstand damaging cyber events. These adverse events could include a cyberattack (via malware, external attacker, or malicious insider), a fault in an IT systems component or application, human error (i.e., a misconfiguration, or scripting/coding error), etc.
Enterprise cybersecurity practices traditionally fall within an overarching IT risk management framework.
Cyber criminals exploit IT attack vectors to gain unauthorized access to the IT environment, potentially damaging a victim (organization or individual) through stolen data, downtime, identity theft, reputational damage, and more. In recent years, trends such as cloud migrations, widescale remote working, and digital transformation initiatives have vastly increased the attack surface for most organizations. At the same time, threats against software, systems, infrastructure, and data are constantly evolving. Threat actors are also increasingly incorporating machine learning (ML) and artificial intelligence (AI) capabilities into their attacks.
Cybersecurity helps organizations address cyber risks by providing a toolbox of approaches, tactics, and software to identify and protect against threats. A comprehensive cybersecurity strategy, supported by strong policies, processes, practices, and tools, can significantly reduce the risk that an organization or individual will be targeted or damaged by cyberattacks.
Specific issues that cybersecurity controls can help address include:
Protection against cyberattacks
Cybersecurity controls can help prevent or mitigate identity-based threats, brute force attacks, malware infections, ransomware, social engineering attacks, denial of service, and many other types of attacks that may disrupt your business.
Prevention of data breaches
Exposure of sensitive business, customer, and supplier data is one of the worst outcomes of a successful cyberattack. Cybersecurity controls can help prevent unauthorized access to systems and data, and provide many mitigations that stymie an attacker from breaching data.
Prevention of identity theft
Compromised customer data can result in the theft of logins, passwords, and other sensitive, personally identifiable information (PII) or data. This can allow attackers to hijack accounts, and even impersonate or masquerade identities to the extent that they inflict ruinous damage to the identity. A growing cadre of identity security products and controls are helping to provide protection against various types of identity-based attacks.
Cyber insurance qualification
The surge in cyberthreats and ransomware attacks has led to a sharp rise in cyber insurance rates and stricter underwriting criteria. High-risk organizations may even face coverage discontinuation. Least privilege enforcement, multi-factor authentication (MFA), and remote access security are several examples of the important cybersecurity controls increasingly demanded by cyber insurers to qualify for cyber insurance coverage and obtain favorable terms.
Organizations operating in various industries and geographies must comply with certain governance initiatives. Many of these initiatives and regulations mandate cybersecurity controls—either specific controls or more general risk management approaches. Some examples of regulations and initiatives include PCI-DSS, HIPAA, ISO, GDPR, SOC2, SOX, and others.
There are many constantly evolving cybersecurity disciplines. Here are some of the most common disciplines, many of which overlap:
Cybersecurity first emerged as its own discipline in the 1960s and 1970s, when computer systems became more prevalent in various industries and government institutions. During this time, as more computers were connected to networks, the need for protecting these systems from unauthorized access and malicious activities became apparent.
1940s: The Birth of Computing
The first digital computer, the Atanasoff-Berry Computer (ABC), emerged in 1943. Throughout the 1940s, computers were large, scarce, and lacked interconnected networks. Limited accessibility kept threats at bay. The idea of computer viruses was only introduced by John von Neumann later in the decade when he presented a paper on the "Theory and Organization of Complicated Automata," in which he postulated that a computer program could reproduce.
1950s: Phone Phreaking
"Phone phreaking," a precursor to hacking, materialized in the 1950s, as curious users explored telephone systems. Later, in the 1960s, the term "hacking" transitioned from manipulating train sets to early computers.
1960s: Early Hacking and Ethical Considerations
Hacking in the 1960s involved gaining access to computers for curious experimentation rather than malicious intent. In 1967, IBM invited students to try out their new computers. The students first explored the accessible parts but were soon discovered to be learning the system’s language, probing deeper, and gaining access to other parts of the system. This experience prompted the industry's first steps toward ethical hacking and cybersecurity.
1970s: Birth of Cybersecurity and Initial Threats
The 1970s marked the true birth of cybersecurity with ARPANET, where the first computer worm, an experimental program called ‘Creeper’, was created by Bob Thomas, who many sources credit as being the ‘founder’ of cybersecurity. In response, Ray Tomlinson's ‘Reaper’ acted as the first antivirus (a method to delete the Creeper program).
Throughout the decade, governments and organizations began addressing network vulnerabilities, laying the foundation for cybersecurity development.
1980s: Rise of Cyberattacks and Antivirus Solutions
The 1980s saw a surge in cyberattacks, prompting the development of antivirus solutions. The Vienna and Cascade viruses exposed vulnerabilities, leading to the creation of commercial antivirus products in 1987. Marcus Hess's 1986 infiltration of U.S. military computers highlighted the need for robust cybersecurity measures.
Another prominent 1986 incident involved Cliff Stoll, an IT manager at Lawrence Berkeley National Laboratory. Stoll’s supervisor asked him to resolve a minor accounting error of 75 cents in the computer usage accounts. This led Stoll to the eventual discovery of a hacker who had gained superuser access to their system. Ultimately, he ensued on a cat-and-mouse chase and set up a honeypot to catch a KGB hacker. His book covering the story, The Cuckoo’s Egg, shined a light on cyber spies and demonstrated how shockingly unprotected many systems were at the time.
1990s: Internet Goes Mainstream and The Attack Surface Explodes
The 1990s witnessed the internet's exponential growth and the corresponding expansion of cybersecurity challenges. Polymorphic viruses, the DiskKiller incident, and the emergence of more antivirus programs showcased the escalation of cyber threats and defenses.
In the late '90s, the Melissa virus caused over $80 million in damage to businesses, underscoring the need for enhanced cybersecurity strategies, while the development of Secure Socket Layer (SSL) provided a critical defense mechanism. The arrest of Kevin Mitnick in 1995 demonstrated the growing rise of cyber-criminal activity, and the potential repercussions.
The 2000s: Internet Expansion and Creation of The Cloud
The 2000s ushered in a rapid expansion of internet usage, making computers and internet-connected devices ubiquitous. In addition, cloud computing became commercially available, spurring a new phase of evolution. However, widespread connectivity and the emergence of cloud computing also brought new cybersecurity challenges.
The connected attack surface expanded drastically as novice users were newly online, with little to no knowledge about security hygiene. The evolution of cybersecurity since the advent of online computing is marked by a perpetual "arms race" between security teams and cybercriminals exploiting vulnerabilities. Various attack vectors, such as social engineering, phishing, ransomware, and advanced fileless malware, contribute to an expanding threat landscape.
The 2010s: The Attack Surface Expands Exponentially, Again
In 2009, DevOps emerged and quickly gained momentum in the early 2010’s, ushering in a new wave of IT innovation, while also introducing security gaps and vulnerabilities—sometimes at massive scale.
Viruses evolved to infect systems through website visits, and hacktivists groups like Anonymous gained prominence, targeting entities for political motives. Credit card hacks, like those by the Albert Gonzales group, and major breaches like Yahoo's in 2013 and 2014, underscored the vulnerabilities in nascent digital platforms.
In response, innovative cybersecurity solutions emerged, incorporating technologies like computer forensics, multi-factor authentication, and ML-driven threat detection. Despite these advancements, persistent threats such as state-sponsored attacks, phishing, and ransomware demonstrated the ongoing importance of skilled cybersecurity professionals.
The 2020s and beyond: Zero Trust and Identity Security take Center Stage
The 2020s started with the recognition of the emerging COVID-19 global pandemic, which had profound implications for society, work, and cybersecurity.
For many digital workers across the world, the pandemic necessitated a massive and immediate move to remote work, considerably accelerating a trend already in motion. The pandemic compelled organizations to undergo rapid digital transformation. This hasty evolution expanded the attack surface and created many security gaps that provided threat actors with fertile opportunities.
During the early 2020s, the rapid dissolution of the traditional network perimeter and rise of hybrid/remote working, mobile connectivity, and cloud computing, underscored the need and demand for the adoption of identity-centric security and zero trust principles. At the heart of most attacks today are identities, their privileges, and access pathways.
In 2023, the launch of OpenAI’s ChatGPT caught the world by storm and highlighted the leaps in technological advancement made by generative AI and other forms of AI and machine learning. Threat actors started to lean more heavily into incorporating AI into attack methodologies, such as in spear phishing campaigns. In the short term, the emergence of AI/ML technologies have boosted attackers’ toolsets, extending the scalability and targeting of attacks, with the potential to make attacks even more complex, effective, and evasive in the future as these technologies evolve.
Enterprises are in the early stages of scrambling to assess, develop, and implement nascent cybersecurity controls leveraging AI, such as in threat detection and response.
Here are some of the most common cyber threat vectors that impact individuals and organizations.
Your cybersecurity approach will vary depending on the type of environment you operate within. For example, a personal user may use a password manager, anti-malware controls, and practice good security hygiene to adequately ensure the security of their devices and information.
At the other end of the spectrum, if you are responsible for the security of a large enterprise and use a Managed Services Provider (MSP) to host your data and systems, you will need to align your cybersecurity strategy, policies, and processes with the MSP. If you’re moving to a cloud-based infrastructure, you will need to adapt your approach accordingly. Essentially, you must make every attempt to protect business IT assets wherever they are located, and at all times. It’s equally important to ensure that the software you use can operate across multiple environments and use cases.
Today, zero trust security is one of the leading enterprise cybersecurity frameworks. Zero trust entails ensuring access rights are continuously evaluated, least privilege is enforced everywhere, and that all access is monitored and reviewed.
From auditing IT ecosystems, to implementing robust identity and access management, there are several key components to securing enterprise systems and data for organizations. Below, we will cover key aspects of cybersecurity best practices, offering insights into building a resilient defense against the ever-changing threat landscape.
Audit Your Existing IT Ecosystem
Initiate a comprehensive audit of your IT ecosystem, including hardware, software, and network components. Look into configurations, permissions, and user roles to understand your organization's digital landscape. This detailed mapping not only identifies potential vulnerabilities, but also serves as a foundational step in developing a robust cybersecurity strategy tailored to your specific infrastructure or IT estate.
Complete a Gap Analysis
Post-identification of potential threats, conduct a thorough gap analysis that extends beyond technical evaluations. Assess the maturity of existing cybersecurity measures, considering procedural and personnel aspects. This holistic examination ensures a nuanced understanding of your organization's cybersecurity posture, facilitating targeted improvements across multiple dimensions.
Use a Risk-Based Approach to Cybersecurity
In rating potential threats based on likelihood and impact (blast radius), align assessments to the operational and asset characteristics of your organization. Tailoring your risk-based approach ensures that cybersecurity efforts are finely tuned to address the unique priorities and challenges of your business environment, resulting in a more adaptive and effective defense strategy.
Manage and Protect Identities
Manage the entire lifecycle of identities, using identity and access management (IAM) and Privileged Access Management (PAM). Integrate contextual factors into authentication processes. Implement adaptive security controls that factor in user behavior and environmental variables. Use phishing-resistant and FIDO2 MFA, especially for the most sensitive accounts and access. Mature identity threat detection and response (ITDR) capabilities to continuously assess identity risk and to rapidly detect and remediate threats.
Use password managers to secure enterprise credentials for employees, vendors, and machines. Privileged Password Management solutions should be used to secure any identity and account that requires privileged access. Ideally these solutions can secure privileged user passwords, DevOps secrets, SSH keys, and even workforce passwords to the enterprise applications used by IT and non-IT employees. Password management can prevent or mitigate some of the largest attack vectors, such as password reuse attacks, brute force attacks, and much more.
Enforce Least Privilege
Use privileged access management and other security technologies and techniques (i.e. systems hardening) to operationalize the principle of least privilege across all identities, accounts, systems, applications, and processes. Least privilege also entails enforcing network segmentation and microsegmentation to isolate access and prevent bleed of issues across segments. Reinforce the principle of least privilege with periodic access reviews and audits, ensuring continuous alignment with evolving business needs.
Proactively Identify & Manage Vulnerabilities
Identify, prioritize, and remediate vulnerabilities across the IT estate. This should include automated vulnerability scanning and management tooling, as well as potentially pen testing. Also, integrate vulnerability scanning and penetration testing into the software development lifecycle to detect and rectify security flaws early in the process.
Secure All Access Pathways
Secure access within and across networks. This includes both humans (employees and vendors), and machines. This will require a mix of network security tooling (firewalls, etc.), privileged access management (including session monitoring / management), and more. Different methods and protocols should be tailored for the access needs. For instance, VPNs may be adequate for some types of remote employee access but should never be used by employees on personal devices (BYOD) or by external vendors. Access should also be monitored and audited. In modern environments, zero trust network access (ZTNA) is increasingly leveraged to apply adaptive trust and context to access.
Many of the practices in this section will also help protect data. However, protecting data should begin with assessing what data you have and what protections it needs, some of which will be based on applicable regulations. Implement an information and data governance framework to ensure proper coverage and conduct audits. Implement specialized data security protections such as encryption and data loss prevention (DLP), in addition to implementing least privilege access to data.
Implement Business Continuity (BC) / Disaster Recovery (DR) Processes & Technologies
It’s critical to have technologies and procedures in place to ensure cyber resilience and recover from incidents. For instance, regular data backups are important to recover from several threats—such as from outages due to server failure, environmental hazards, or a ransomware attack. Incident response planning and training is another important facet of BC/DR.
Strive towards a Zero Trust Environment
In today’s era of remote and mobile workforces and cloud utilization, zero trust principles are arguably the most effective approaches to providing secure access, while mitigating the risks to highly sensitive identities, assets, and resources. The NIST zero trust model (SP 800-207) entails eliminating persistent trust. This involves enforcing continuous authentication, applying least privilege, and adaptive access control, and ensuring constant visibility and control over who is doing what on your network.
Take Account of Cybersecurity Frameworks
Regularly review and update your cybersecurity strategy based on applicable, or your aspirational, industry frameworks and regulations. These include PCI DSS, ISO 27001/27002, CIS Critical Security Controls, and the NIST Framework on Zero Trust Architecture. This will help improve your security posture and provide confidence to customers and partners about the integrity and resilience of your organization.
Train Your Employees in Good Security Practices & Build a Culture of Security
Go beyond initial onboarding with regular and targeted cybersecurity training updates to keep employees abreast of emerging threats and evolving attack techniques. Implement simulated phishing exercises to reinforce vigilance and cultivate a cybersecurity-aware organizational culture that is better equipped to identify and mitigate potential threats.
A recent report from Fortinet found that 83% of corporate boards suggested increasing IT security headcount. That same study showed that 9 out of 10 leaders prefer to hire people with technology-focused certifications.
Additionally, a recent ISC2 study found that 92% of respondents report having skills gaps in their organization—the most common being cloud computing security, AI/ML, and zero trust implementation.
To help address the skills shortage, many organizations outsource various IT and cybersecurity-related responsibilities to Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs).
With that said, here is a small sampling of some common types of cybersecurity roles that organizations try to staff for:
In addition, smaller companies or teams often have IT generalist roles that may entail a mix of responsibilities, including IT security.
Certified Information Systems Security Professional (CISSP): CISSP is a globally recognized certification validating expertise in designing, implementing, and managing a robust cybersecurity program.
CompTIA Security+: Security+ is an entry-level certification covering foundational principles, making it ideal for individuals starting their cybersecurity careers.
Cybersecurity Analyst+ (CySA+): CySA+ focuses on behavioral analytics, threat intelligence, and vulnerability management, making it suitable for cybersecurity analysts.
CompTIA Advanced Security Practitioner+ (CASP+): CASP+ is an advanced certification for cybersecurity professionals, emphasizing critical thinking and advanced technical skills.
Certified Ethical Hacker (CEH): CEH certifies individuals in ethical hacking techniques, enabling them to identify and address vulnerabilities in systems.
Global Information Assurance Certification (GIAC): GIAC offers a range of specialized certifications such as GIAC Certified Incident Handler (GCIH), GIAC Certified Enterprise Defender (GCED), and GIAC Certified Intrusion Analyst (GCIA), each focusing on specific cybersecurity domains.
Certified Information Systems Auditor (CISA): CISA certifies professionals in auditing, controlling, and ensuring the security of information systems.
Certified Information Security Manager (CISM): CISM validates expertise in managing, designing, and assessing an organization's information security program.
Certified Cloud Security Professional (CCSP): CCSP certifies individuals in designing and implementing secure cloud environments.
Offensive Security Certified Professional (OSCP): OSCP is a hands-on certification emphasizing practical skills in ethical hacking and penetration testing.
Systems Security Certified Practitioner (SSCP): SSCP certifies individuals in implementing, monitoring, and securing IT infrastructure.
Certified in the Governance of Enterprise IT (CGEIT): CGEIT certifies professionals in governance and strategic management of IT resources.
Certified in Risk and Information Systems Control (CRISC): CRISC certifies expertise in identifying and managing IT risks.
CSX Cybersecurity Practitioner (CSX-P): CSX-P certifies individuals in cybersecurity skills through hands-on performance-based exams.
CompTIA PenTest+: PenTest+ is a certification focused on penetration testing skills, ensuring proficiency in identifying and managing vulnerabilities.
GIAC Certified Incident Handler (GCIH): GCIH certifies professionals in responding to and managing security incidents, equipping them with the skills to detect, respond to, and mitigate cybersecurity threats effectively.
GIAC Certified Enterprise Defender (GCED): GCED focuses on defensive strategies, certifying individuals in designing and implementing secure enterprise-level defenses against cyber threats.
GIAC Certified Intrusion Analyst (GCIA): GCIA certifies expertise in analyzing and responding to network security incidents, making it ideal for professionals specializing in intrusion detection and analysis.