Do you know what your program is supposed to be protecting?
Many organizations have fantastic defenses in place, but when you dig a little deeper there is no justification for the spend. When assets are identified with values assigned to them, we can more accurately decide what should be spent to protect those assets. This is what is meant by a risk-based program. We know what is at risk and we know how much to reasonably spend to protect it. Often times you’ll hear “don’t buy a $20 lock to protect a $10 bicycle” as an analogy associated with risk-based evaluations. If you haven’t done a risk assessment to identify assets and their value, how do you know how much to spend to protect them?
Risk, in general, is a topic for another time, but the thing to remember about risk is that it can be accepted, transferred, mitigated (think managed), or remediated (think removed). The take away here is there are multiple ways to deal with the risk to an asset
Do you have a strategic roadmap aligned with business objectives?
Once you have identified your assets, it’s time to put together a strategic roadmap. This documents your plan to implement protective measures based on the resources you have at your disposal over a specified timeline. Each budget cycle, the business identifies priorities and the savvy Cybersecurity leader will find a way to align a portion of his or her plan to support those priorities or objectives. An effective method for communicating your plan and gathering support is by creating a GRC (governance, risk, and compliance) Committee or a Cybersecurity Steering Committee. This brings together your program stakeholders and/or partners and provides a platform to keep them informed. You can often avoid pushback for implementation by simply communicating the need during a committee meeting and getting the support of impacted leaders early on. Finally, do you use metrics to tell your story? If not, you’re missing a big opportunity.
Do you review your Cybersecurity program regularly?
Your Cybersecurity Program is in place, but how do you know everything is as effective today as it was six months or a year ago? As the business changes, the Cybersecurity program needs to change with it. The technologies or managed services you put in place need to be checked for effectiveness and relevance on a regular basis. Does a specific technology you put in place to protect assets from a specific threat still need to be kept up if your Endpoint Protection suite now protects against that same threat?
Do you regularly shop on-premise services to ensure it still makes sense to manage those services in house versus moving to a managed service? Consider shopping your managed services with other vendors to ensure you’re getting the best value? I’ll mention metrics again, they are an excellent way to measure if your services, on-premise or managed, are doing the job you think they are. Metrics can communicate to non-technical types through numbers and/or graphs.
Are you adequately prepared to face a constantly changing threatscape?
Ever heard the phrase “you don’t know what you don’t know”? Nothing is truer when you’re referring to the ever-changing threatscapes we deal with as Cybersecurity professionals. One way to even the playing field is through a commitment to Cybersecurity Awareness. In regulated industries, Cybersecurity Awareness is a requirement, but in other unregulated areas, it’s not as cool or sexy as the latest Cybersecurity toys. What it lacks in glitter, it makes up in effectiveness. An investment in Cybersecurity Awareness provides returns in multiple forms. Cybersecurity Awareness applies to the entire organization. It’s a cultural shift that enables a sense of ownership to everyone in the organization. A kind of “not on my watch” mentality will develop. Cybersecurity Awareness also applies to the Cybersecurity team. Training provides not only the initial knowledge but a teaching and team building opportunity through knowledge sharing. Finally, Cybersecurity Awareness can provide professional development for not only the leader but the team. Through Cybersecurity Awareness, organizations learn rather than be told what is bad and why.
If you’re still not sure if you could benefit from a Cybersecurity Review, contact us and we’ll help you figure it out.
Contact Cushnoc Resiliency Advisors at info.cushnocra.com or 207.465.6002