When evaluating the perceived level of success for organizations ranging from the U.S. Government to large public companies to small businesses in regards to protecting information and preventing breaches, the results can vary and would likely be frightening. Most informed cybersecurity experts would provide a general “thumbs down” to nearly all groups of businesses and entities to date.
But there is hope! Any organization wishing to improve in this regard, and to implement necessary defenses to effectively protect its environment against most cybersecurity risks, can follow a simple template.
First, companies must identify the potential targets of cyberattack (the entity’s sensitive data and critical systems), then, once an inventory has been developed, entities should assess the risk to each target, and take steps to manage risk to an acceptable level, while considering the organization’s risk appetite.
While this process sounds simple, the fact is that today’s organizations are struggling to effectively complete these steps. There are several areas that cybersecurity professionals should consider when managing their information security program efforts that can help to improve the chances of success.
Planning & Administration
Proper planning and administration of a cybersecurity program involve getting the discussion into the boardroom and in front of the decision makers, enabling them to make well-informed decisions. When this opportunity presents itself, it’s critical to avoid technical speak, keeping the information at a simple yet appropriate level of communication for the audience. Try to have a positive discussion focused on combating cybercrime rather than a “sky is falling” negative tone. Executives don’t want to hear that commonly uttered phrase “It’s not a matter of IF we’ll get breached, but WHEN.” After all if, that’s truly the case, why bother implementing security controls at all! When developing cybersecurity objectives, it’s also important to consider what’s driving your company’s business, and how data security plays a role. Regularly asses your program’s effectiveness, striving to make proper security risk management a focus instead of compliance with regulations as the main focus. Also, be careful about trying to quantitatively compute security return on investment. Stock price impact and per-data-record breach cost calculations can be easily questioned, undermining your argument for security investment.
The phrase never gets old—effective communication is key. One wrong move in any communication strategy can cause confusion and misunderstanding, especially with cybersecurity, which by its nature is often seen as technical jargon. Make sure to get legal, audit, and compliance channels on board with cybersecurity program objectives. Don’t be the only one in the company carrying the responsibility for IT security. To avoid this situation, communicate one-on-one with allies outside the boardroom to get their feedback and buy-in on your plans.
When it comes to executing your cybersecurity program, there are several must-dos to ensure cybersecurity success.
- Make sure your security policies are robust.
- Create an asset inventory, and classify all data. You can’t protect what you don’t know you have.
- Use multi-factor authentication for all remote access channels. Be sure webmail is included in your multi-factor implementation!
- One major “key” to security is good passwords. While you should educate employees on how to choose good passwords, multi-factor authentication is the single best way to defend against bad passwords.
- Avoid getting enamored with looking for the silver bullet of security. A technology solution won’t solve the problem completely. Make sure the basic “blocking and tackling” components of your program are in great shape before you spend money on the newest shiny software solution.
Tips for Success
And finally, to be most successful with your cybersecurity efforts, these tips can help you along the way. First, plug into a community of cybersecurity peers who can serve as a sounding board and can offer alternative perspectives in regards to your existing practices. Conduct ongoing risk assessments and seek to remediate all significant risks. If your company is ignoring your cybersecurity risk management recommendations, it likely either means that you are not communicating risks effectively or the company is not committed to proper cyber risk management. In either case, seek to remedy that situation. Work with a peer to hone your message, and practice it with your allies in the organization. If that still doesn’t work, find another employer who values your expertise.