The core elements of a resilient cybersecurity posture
Most organizations rely heavily on technology, making them susceptible to cyber threats.
Most organizations rely heavily on technology, making them susceptible to cyber threats and necessitating a resilient cybersecurity plan. But what defines and comprises an effective cybersecurity strategy? Below are seven core elements that can lay the groundwork for a healthy cybersecurity posture.
No. 1: Close alignment between cybersecurity priorities and business outcomes
Businesses want to increase revenue and return value to shareholders, customers and employees. It is important to find an alignment between cybersecurity strategy and business goals without causing conflict or working at cross-purposes with business priorities. A good security strategy will align with corporate direction and is quantifiable in terms of the way it delivers that mission. Everyone in the organization should be aware of not just the role cyber plays in the overall business strategy but at the individual level that helps to sustain a culture of security.
No. 2: Focus on crown jewels
The cybersecurity domain is intricate and so noisy with vendor promises that security teams can easily become distracted and confused. The starting point must always be about what needs to be achieved foremost to keep the business solvent. These are the organization’s crown jewels — essential, non-negotiable, and most worthy of safeguarding at any cost. When allocating budgets, security leaders must have complete clarity on what they are protecting, because no organization is in the business of failure.
No. 3: Commitment from top down
Cybersecurity is often delegated to the IT staff however it is now evident that security risk extends beyond technology and is in truth, a business risk. Business leaders and the C-suite should be compelled to provide ongoing guidance and oversight on cybersecurity matters. That is because security is a collective responsibility: all stakeholders have an obligation to defend the organization from data leaks and cyberattacks. Leadership must bring employees together under a common cause, set the tone, foster discussion, and shape the culture.
No. 4: Where security is not an afterthought
In many organizations security tends to be considered an afterthought. As a result, it ends up being retrofitted into product designs and processes at the last minute, leaving it vulnerable to exploitation. Early involvement of security priorities in project discussions will result in more secure processes and improved posture. It can also help to align cybersecurity more closely to business goals.
No. 5: Keep A watchful eye On KPIs
A basic component of any successful cybersecurity strategy is the ability to quantify, monitor, and report on the progress of cybersecurity controls and initiatives and their impact on the organization’s culture and security position. Establishing, tracking, and reporting key performance indicators allow organizations to identify security gaps, empower teams to make more data-driven decisions, and relay crucial information to leadership which in turn, helps persuade the board for additional resources for future security programs.
No. 6: Regular reviews of defenses, policies and regulations
Technology continues to evolve, threat vectors continue to multiply, and cybersecurity compliance laws continue to grow more cumbersome and stringent. Organizations must audit and test their defenses in line with the changing landscape; they must review their security policies and procedures at least every 12 months, keeping close tabs on what regulators and legislators are proposing. For these reasons alone it is advisable to seek third-party expertise to routinely conduct tabletop exercises and a comprehensive review (beyond standard check-box questionnaires) of security policies and procedures — from the board level down to business leaders, to employees and those responsible for security implementation.
No. 7: Attention to resilience, not only defense
While it is necessary to have a sound defense, it does not mean that organizations should overly fixate on threats. They must also conquer this notion of resilience – how quickly can the business respond and recover from an incident? In case networked systems go offline, how does it ensure business continuity? How long before lost data is fully recovered? None of these are easily solvable questions. Organizations should be testing and preparing for these contingencies.
Cybersecurity strategy is an ongoing journey that requires alignment with business goals, consistent review of vulnerabilities, controls, policies, and regulations. It also requires steady work on resilience and involvement from leadership. Cyber incidents happen unexpectedly, making preparedness preferable to reactionary measures following a crisis.
Steve Durbin is chief executive of the Information Security Forum, an independent association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. Find out more at www.securityforum.org.