We are continually reminded of the growing threat to information and systems and data. A day there's a replacement angle the threat actors, criminals, cyberpunks are taking to disrupt, destroy, or damage your business. Likewise, the speed and complexity of IT transformation accelerate the pace of change and intricacy in cybersecurity and knowledge protection. Cybersecurity may be a cultural issue that's quite just the newest tool or concept for locating and preventing evil within your corporate information and technology enterprise.
What is your corporate assessment of success for your cybersecurity program?
Many will tell you that avoiding the dreaded appearance on the six o’clock news is the primary measure of success in cybersecurity. A more reasonable approach is employing a set of metrics developed from your security framework. Choose a framework from sources just like the International Standards Organization, the National Institute for Standards and Technology, or the middle for Internet Security’s 20 Critical Controls. Choose one that matches your organization’s technical information architecture, business models, internal dynamics, and outward-facing communications structure. Choose a strategy that gives success criteria you'll defend to the Board of Directors! Just pick one!
"Cybersecurity may be a cultural issue that's quite just the newest tool or concept for locating and preventing evil within your corporate information and technology enterprise."
CAUTION! Frameworks are a baseline! Simply accepting the baseline isn't always secure. Understand the worth proposition… supplement with controls that make the safety your users deserve.
Success is knowing where your benchmarks are and establishing key performance indicators you'll clearly see and simply measure.
How mature is your cybersecurity program?
Your mileage may vary. Although, if you're learning from your experiences, good or bad, you're maturing. ISACA and therefore the CMMI Institute recently published a Cybersecurity Maturity Assessment model with the people, process, and technology aspects the CISO can use. Address operational practices with standards and conformity in mind. Understand your Board of Directors' concerns with organizational and investment priorities and risk appetite. The NIST Cybersecurity Framework also includes a maturity model with tiers for policy, procedures, implementation, test, and integration; which is beneficial in determining where the organization sits with the cybersecurity core event life cycle of identity, protect, detect, respond and recover. Understanding where your program sits on the maturity path will assist you to work out success.
Success within the early stages of maturity remains a success!
What are your cybersecurity strategy and guiding principles?
Once you've got a handle on the way your program will work, the energy should shift to developing and implementing a technique with policy, standards, and implementation plans. Start with a robust and relevant set of Guiding Principles – know your data, know your architecture, and know the industry-related issues (FERPA, HIPAA, GLBA, etc). Understand your environment to incorporate assets and attributes like hardware, software, and standard configurations (CIS Critical Security Controls).
Be aware of the revolution in privacy concerns – bake it in now! Become familiar and incorporate the emerging privacy principles, law and doctrines just like the European Union General Data Protection Regulations or the California Consumer Privacy Act of 2018. Skills you address employee behaviors and workplace issues and incorporate business and organizational perspectives.
Success is in having the community complies with these guiding principles! you can't socialize enough on this task.
How often does one “talk cyber” to your constituents and stakeholders?
Communications and awareness are key to moving the program from charts, papers, and graphs to real culture alteration. Know your audience’s tolerance for negative messages that invoke fear, uncertainty, and doubt (my preference – avoid FUD the maximum amount as possible – on the other hand, I'm a glass-half-full guy). Develop the power to sort through the seller hype for real information worth sharing.
Communicate early and sometimes using messages the community understands. Build up your message(s) with a cross-section of business, IT and security groups and use constituent community boards. Above all, have a written communications plan that encourages constant and consistent messages, the way to address executives and therefore the Board of Directors, the way to manage crisis communications, and the way you communicate change.
Use the feedback you receive and take care to not make large changes from small amounts of imperfect data. Involve your community through education and feedback focused on your key performance indicators. Cybersecurity is like Novocain, you sometimes got to provides it a touch of your time to figure before you begin poking around with sharp instruments.
Success is once you express your message in organizational terms and examine feedback to trace trends, then report!
A successful program…
…is not a bolt-on for projects to see a requirements block. Successful cybersecurity programs absorb frameworks and best practices that differ the organizational DNA. To stay your business functional and thriving, your cybersecurity program has got to be an integral part of the business and mature in providing the proper people, processes and technology - at the proper cost - at the proper time. Make your program a worth center rather than a price center.
Lucrative cybersecurity programs are bottom line to the business and never exceed the worth of the knowledge and systems the program is meant to guard.