There are no one-size-fits-all cybersecurity programs. I wish I could tell you to “Do this. Do that. Don’t do these other things.” But, that’s not reality.
Just like a tailored suit or the way you prefer your coffee, cybersecurity programs are unique. So, if you want a comprehensive program, it’s not enough to look at what other companies are doing and call that “good enough.” You must define what an appropriate program looks like for your organization. As a Board of Directors, you should ask management, “What does a good cybersecurity program look like for us?” To get to that answer, here are four key steps to help the company along the way:
1. Perform a risk analysis.
This is the foundation of your information security program. What type of data does your company handle, process, and/or store? What’s the likelihood that data could be accessed by a malicious user? What would be the consequences of a breach? The good news is, you don’t have to do this yourself (and you shouldn’t).
Judge your company against an industry standard like NIST, ISO 27001, or any other common security framework in your industry. These organizations have taken the time to define general areas and functions that all cybersecurity programs should worry about. Using these frameworks as a basis ensures that you are taking an in-depth look at your risks.
2. Develop controls to integrate security into business operations.
Auditors (and hackers, for that matter) don’t care how much you talk about cybersecurity. They care whether you have controls in place. Use the risk analysis as a guideline to determine which controls must be implemented to secure data to a reasonable degree. This is where things begin to differ for various companies.
Some companies store incredibly sensitive data and must spend huge amounts of dollars to protect it. Other organizations store lower-risk data, which can be afforded a lower budget. Ultimately, you want to determine how you can implement cybersecurity into the day-to-day operations of the business.
3. Write it down.
This is important for a few reasons. First, employees can’t perform their security duties if they don’t know what those duties are. Documenting security controls gives complete clarity to your company’s information security program.
Second, you can’t assess the effectiveness of your program if you don’t know what you’re looking for. Inspection of security controls is how you verify they are in place and operating effectively. Without a record of written controls, how do you know what to look for? In short—you don’t.
4. Implement the controls.
Determining and documenting cybersecurity controls is a huge step for many companies. The problem is—too many companies stop there. Many times, I’ve assessed a company’s security program only to find that, while their documentation is impeccable, their implementation is close to non-existent.
Don’t be that company. Document the controls that are truly being performed. Documenting what you aspire to do might be helpful to set a standard you can reach for, but it won’t impress an assessor. What’s written down should reflect reality.
From a 30,000-foot view, developing a comprehensive information security program seems straightforward—and it is. The challenges appear when you begin to get in the weeds and look at specific risks your organization faces, because many cybersecurity questions don’t have a straightforward answer.
Whether you’re proud of your cybersecurity program, or you want some guidance with it, LBMC Information Security can help. Just click here to contact us to learn how we can help you develop a comprehensive cybersecurity program or assess your current one.
This blog is the fourth in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.