By Scott S. Smith
Security Practice Lead
Given the dramatically negative impact that a cybersecurity failure can have on your business, implementing a cybersecurity plan is mission critical. In my last article I talked about some of the business-driven needs that might drive your cybersecurity plan. Today I will address some of the steps you need to take to get a cybersecurity plan in place.
Here are the initial steps I recommend:
- Assess your risks – It is absolutely critical to understand what your data assets are and where they reside. You can then prioritize these data assets based on the likely negative impact on your business if these assets were to be compromised.
Start by taking a complete inventory of your data assets—a task that’s often easier said than done. Look in every corner: What data resides in major databases? Is there sensitive, unstructured data in drive shares (such as key Excel files), or even in the cloud? What data resides in shadow IT? How about email archives? It doesn’t hurt to reach out to key business stakeholders to ask them where they think their data is! Remember, if you don’t know where a data asset is located (or even if it exists), that lack of knowledge is a security risk in and of itself.
Once you have identified your data assets, the next step is to complete a risk analysis of each of them. Develop a risk-based taxonomy, and assign a priority level to each asset. From this, you will be able to drive an informed plan of defense.
- Pick a cybersecurity framework – There are a number of different cybersecurity frameworks available. These frameworks provide a set of checklists to help you create your cybersecurity plan, and help ensure that you cover all your bases. Two of the more popular are the CIS (Center for Internet Security) cybersecurity framework and the NIST (National Institute of Standards and Technology) cybersecurity framework.
Review these frameworks within the context of how your business, culture and IT systems work. Select the cybersecurity framework that is the best match, and then modify (or simplify) it as necessary for your needs.
- Keep end user needs in mind – Understand what business processes will be impacted by your cybersecurity measures, and exactly how they will be impacted by these changes.
Some cybersecurity measures, such as in the Identity and Access Management (IAM) arena, can actually boost employee productivity and make business processes more efficient. Other times this is not the case. Your goal should be to meet your cybersecurity needs with the least possible negative impact. If there are choices to be made, evaluate them from the standpoint of how they will affect the people who must implement these processes.
Remember that for many people change is always difficult. Be sensitive to this, and manage people through the change. Whether your new cybersecurity measures will make processes more or less efficient, you should provide training on the new procedures and assistance with change management.
When it comes to end user needs, you should also ensure that your cybersecurity policies don’t become your “business prevention” policies. For example, you do not just say “no” to any tools that are not already sanctioned by the IT department, or shut down any rogue “shadow IT” installations when you discover them. Business users need to be able to get the tools they need, and your cybersecurity plan needs to provide guidelines for how these tools can be safely used. Consider standing up a steering group of end users who can help guide this process.
- Stay adaptable – In the world of cybersecurity it’s important that you don’t “drive with your eye on the rearview mirror.” While the cybersecurity measures you put in place will generally be based on the experience you’ve had and/or the security breaches that others have experienced, cybersecurity threats are always evolving. Your approach needs to be flexible.
Many organizations make the mistake of rigidly basing all of their cybersecurity efforts on audits and frameworks, only to get tripped up when an attacker comes up with a new methodology that’s not addressed by these audits and frameworks. Security and IT organizations must feel that they can push back on an audit if the results of the audit will be used in a way that excludes this agility. Be ready to show that an audit for yesterday’s threats may not serve your organization today.
- Be prepared for a cybersecurity breach – Build resilience into your cybersecurity system. If all of your cybersecurity measures fail to prevent a security breach, how will you respond? What should IT do? What should management do? What should legal, marketing and any other affected departments do?
Think through the various types of breaches that might occur—such as distributed denial of service (DDoS), ransomware, etc.—and have plans in place to deal with each. For a discussion of how to respond to ransomware attacks, see my colleague’s article on “What’s New & Frightening in the World of Ransomware & Business Continuity Planning.”
Conclusion
If you’re feeling overwhelmed by all of this, consider taking advantage of the various Security as a Service options. For example, CIOPS can handle all of the strategy pieces, and then manage the implementation process. There are other firms that can handle other aspects of your cybersecurity system, such as managing your perimeter security. There are cloud-based systems for managing governance, identity and access management, and more. Depending on your needs, it may be more cost-effective to utilize these options than to grow your own system from scratch.
About Scott S. Smith
Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.
