January 15, 2025

New Year, New Cybersecurity Posture

Whether you are looking to learn a new language, make more time for the gym, or re-evaluate your cybersecurity posture, the start of the new year is a fantastic time to set new goals for yourself and your organization.

Your organization's cybersecurity program should be unique to your processes, risks, and business model. Like most things in the cyber landscape, your program should adapt over time as your organization changes and the industry changes around you. It is easy to get over saturated and over ambitious when looking at the buffet of potential cybersecurity enhancements. This is especially true if your organization overcame a cybersecurity incident this past year.

In this post we will explore cybersecurity roadmaps, how your organization can refine / create one, and what items to consider in 2025.

What is a Cybersecurity Roadmap?

At its most basic level, cybersecurity roadmaps are meant to help thoughtfully organize your cybersecurity program objectives into an achievable timeline. Some roadmaps leverage an incremental growth strategy (i.e., crawl-walk-run) for tackling new objectives, while other roadmaps fragment a single objective into multiple phases throughout the year or even expand large tasks across multiple years.  

An effective cybersecurity roadmap should consider your organization's risks, regulatory requirements, budgets, and realistic business goals for the year. To get started with developing a new roadmap, your organization should identify what main objectives you want to work towards. These main objectives are typically related to filling security gaps that are already tracked, accounting for new regulatory obligations, and addressing emerging cybersecurity trends, risks, and threats.  

While cybersecurity roadmaps can be developed for any length of time, they require continuous evaluation and adaptations. This creates a recursive process, described by four main phases:

  1. Assess: Evaluate and understand the current state to identify your organization's short- and long-term objectives  
  1. Implement: Develop and execute an achievable plan related to your identified objectives.
  1. Validate: Test to ensure effectiveness of the items implemented.  
  1. Optimize: Refine implemented items based on validation efforts for long-term success.

Developing a Roadmap

As you look towards building or fine-tuning your cybersecurity roadmap for 2025, we recommend considering ways to further enhance your people, processes, and technologies. These are the main pillars that support your organization's cybersecurity posture. Every organization stands the best chance against cybersecurity risks by appropriately balancing their attention and budgets across all three pillars, to avoid a "weakest link" scenario. Each year will bring new cybersecurity challenges and objectives that are driven by real-world observations.  

People

Every end user at your organization has a role to play in your cybersecurity program. For most, this responsibility is to remain cognizant of potential cybersecurity events and notify the necessary individuals so they can validate and take the necessary actions. For the leadership and technical roles at your organization, responsibilities are typically more involved with preparing for, detecting, validating, responding to, and recovering from a cybersecurity incident. As a result, your organization should work to ensure all employees are prepared for new / emerging cybersecurity threats.  

  • End User Security Awareness & Training: Social engineering is the easiest and most common way a threat actor can initiate their attack. Email phishing attacks are one of the most widely known attack vectors, yet they still lead to countless credential thefts, fraudulent payment and malicious attachment download incidents every year. As a result, your organization should make ample effort to verify your employees are aware of new ways threat actors will try to trick them. In tandem, end users should understand what to do if they see a potential incident (e.g., alerting IT staff). Awareness and training sessions are recommended to be performed annually, at a minimum. When building your roadmap for this year, consider what cybersecurity topics you feel would be most beneficial for your employees to know and understand.  
  • Employee Skillsets and Capabilities: Threat actors will always continue to adapt to the latest cybersecurity defenses and improve their capabilities to achieve their goals. Your organization's technical / incident response team members should be no different. It is recommended that your organization uses this new year to reflect on what current cybersecurity skillsets your employees have, while comparing them to the in-house capabilities you would like to see be developed. Many employees already have interests in achieving new certifications, attending specialized training courses, and visiting cybersecurity conferences. Enabling them to pursue these interests goes a long way in helping your organization improve its cybersecurity capabilities.  

Process

Every cybersecurity program can be thought of as a complex machine with many moving parts between the preparation and response to an incident. As a result, organizations should strive to formally establish and document repeatable cybersecurity workflows, policies, and plans. This enables standardization, which ensures both consistency and accountability with cybersecurity risks. One thing to keep in mind is that your cybersecurity processes are never going to be truly finished. They will require constant adaptation and improvements as your organization’s risk appetite, goals, and environment change.  

  • Enhancing Documentation: If your organization has not yet formally documented its cybersecurity plans, policies and procedures, the new year is a fantastic time to set that initiative. A formal asset inventory, business continuity plan, incident response plan and vendor management plan are great places to start! Once established, your organization should continue to refine its documented processes to account for changes in your organization and your industry's threat landscape. Documented processes should also be tested to validate effectiveness in their implementation.  
  • Testing Effectiveness: How valuable is formal documentation that end users do not understand? Your organization should ensure that applicable employees understand their responsibilities before and during a cybersecurity incident. Running tests / exercises simultaneously familiarizes your team with performing their duties (i.e., “practice-makes-perfect”), while also validating the effectiveness of the guidance found within the current documentation. It is very common to identify through practice - or real-world incidents – that your formally documented processes did not work exactly as anticipated. Maybe you forgot a key step or did not account for a scenario-specific constraint. Common tests for personnel include incident response tabletop exercises and fictitious phishing campaigns. In addition to the “people” element of these tests, the processes themselves should be tested to validate effectiveness in the same way. For example, testing your backups on a recurring basis will help verify the necessary data is being preserved and able to be restored for cybersecurity resilience. It is both fiscally and mentally tolling if you suddenly realize during a cybersecurity incident that your believed backups were not functioning as assumed. Simply put: If you build it, test it.
  • Environment Changes: It is likely that your organization’s digital environment has seen changes over the last year. Perhaps you decided to take your servers and applications onto a flight into the cloud, added to your employee count or even expanded to new office locations. These changes likely have an impact on your processes and how they are documented. For example, if your employee count grew this year, your organization would benefit from validating your asset criticality list is still accurate with all new assets being accounted for. The new year is also an opportune time to reflect on your data and the associated retention / deletion processes. In addition to ensuring necessary data follows established regulatory retention requirements, your organization should evaluate any changes in the need for net-new information. In other words, is there still a need in the new year to even store net-new sensitive information in the first place? If not, then why subject your organization to the cybersecurity requirements that come with it? 

Technologies  

This is one of the more commonly envisioned aspects of a cybersecurity program. It is also often one of the most relevant conversations during cybersecurity budget meetings. The technology you choose is often the first line of cyber defense for your organization. No single technology solution will solve all of your cybersecurity concerns, so the new year is a great time to evaluate your current technologies and hunt for ways to optimize.

  • License and Logging Evaluation: Unfortunately, there are many organizations who learn of logging limitations within their cybersecurity tools when it is already too late. Some cybersecurity tools and platforms leverage a license / subscription tiering model that unlocks certain features and capabilities the more you pay. Although it is easiest to select the cheapest license level now, it may end up being more costly if the tier does not give you the vital information you need during an incident. As an example, the cheapest license level may only retain logs for a week as opposed to multiple months. With budget in mind, it is recommended that your organization works to determine what benefits vs. limitations each of the license levels will mean during an incident.  
  • Tool-specific Training: Not everyone needs to be an expert on every tool / platform you have in your environment. However, your organization should strive to fully leverage what features each has to offer. Most cybersecurity tools receive consistent feature improvements to account for new common threat actor tactics and techniques. Understanding how to use your technologies to their full potential may enable improved efficiencies and protection.
  • Tool Inventory Checks: Tools, tools, and more tools! It is easy to get lost in all the features, capabilities and new offerings released every year. This not only leads to the increased chance of tool management oversight but also makes it more difficult to understand what redundancies are costing your organization more than necessary. Use the start of this new year to create, review and/or update your tooling lists to ensure all tools are accounted for and that the necessary tracking is in place for each. Valuable data points such as who owns the tool, what current version is running, what users have access to it, and what environment locations are being covered should be tracked for strategic insight. Taking this one step further, it is recommended that tools are evaluated against MITRE’s ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) and D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense) frameworks for their function and capabilities to help identify cybersecurity gaps but also identify tools that overlap and create unnecessary redundancies.

2025 Roadmap Considerations and Real-World Scenarios

As you approach the creation or refinement of this year’s roadmap, MOXFIVE’s Resilience team is here to help build your roadmap and identify the best solutions for your specific cybersecurity needs, budget, and current posture.  

This past year MOXFIVE helped organizations navigate hundreds of cybersecurity incidents. Throughout these incidents we identified a few commonalities that we recommend your organization consider:

  • Multifactor Implementation: We recommend performing a quick self-audit to validate where your organization has multifactor authentication (MFA) deployed. This past year we helped numerous organizations impacted via Virtual Private Network (VPN) connections that lacked multifactor authentication (MFA). In some scenarios MFA was rolled out to only some accounts, whereas organizations in other scenarios didn’t have MFA implemented at all. MFA is a relatively simplistic and budget-friendly control that can significantly help protect your environment. The sooner in your roadmap MFA can be addressed, the better.  
  • Vulnerability Management and Patching: We recommend having a formal process in place for identifying and applying new security patches, especially on perimeter devices like VPNs. An unsettling number of incident’s we’ve investigated in 2024 began with the threat actor obtaining initial access via a perimeter device left unpatched and then pivoting internally to take down entire networks.  
  • Vendor Identity and Access Management: We recommend scheduling multiple formal reviews throughout 2025 to validate the permissions, access, and state of accounts within your environments. It is not uncommon for your vendors to require special security exceptions and elevated privileges within your environment to perform their duties. However, for these same reasons, these vendors accounts are often targeted and leveraged by threat actors during attacks. This past year we helped multiple organizations recover from incidents where threat actors leveraged dormant vendor accounts to expand their access and privilege within the environment. As a result, your organization should work to update your inventory of active accounts, determine if the accounts and their access are still necessary, and identify how further protection can be applied.    

Please reach out to us if you need help exploring all resilience options and if you would be interested in whiteboarding your organization’s cybersecurity resilience to ensure common pitfalls and risks are addressed.

Justin Boncaldo

Justin has helped a diverse range of organizations navigate cybersecurity incidents from incident response, digital forensic, cyber insurance and preparatory perspectives. With over five years of incident response consultancy experience, Justin has supported and empowered private and publicly traded organizations, as well as state and local government entities, reaching virtually every industry.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 

HOW WE CAN HELP

Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More