With the ongoing cyber security skills shortage, a growing number of information security (IT) professionals are being asked to take on new responsibilities for their organization’s cyber security program. Estimates show the number of unfilled cyber security positions worldwide could grow to 4 million by 2021, which will only make the problem worse.
Even with the severe economic downturn from the COVID-19 pandemic, there’s still a high demand for people with solid cyber security skills. New research from ISSA indicates that COVID-19 has forced cyber security professionals to change their priorities and take on new initiatives. Cyber security professionals have also seen a spike in attempted cyberattacks related to the pandemic. In response to the increasing volume of attacks, many organizations are ramping up threat intelligence analysis and fine-tuning security controls, which requires security expertise that many companies don’t have.
Finally, given the many information security standards and regulations that industries must follow, like the Health Insurance Portability and Accountability Act (HIPAA), the cyber security landscape has become even more challenging to navigate. For large and small organizations alike, keeping up with all the different controls within these standards can be difficult.
If you’re new to cyber security and want to implement a program, but aren’t sure where to focus your efforts, here are five tips to consider before you start.
1. Choose a Framework Over a Compliance Checklist
Many organizations are still heavily focused on beefing up their security to meet compliance requirements. Trust me, nobody wants to fail an audit. How can you best avoid an audit failure? Go beyond a simple checklist and develop a well-rounded, comprehensive security program based on a framework that helps you implement appropriate control measures.
There are plenty of framework comparison reference materials available to help you understand commonalities and differences between programs. Some examples are the National Institute of Standards and Technology (NIST)’s Cyber security Framework (CSF), and alternate frameworks from ISACA, the International Organization for Standardization (ISO), and the Center for Internet Security (CIS). According to NIST, the CSF has been downloaded over half a million times since it was first published in 2014. The CSF became mandatory for government agencies in 2017 but is voluntary for private companies.
It’s important, though, to keep in mind that you aren’t going to find a “plug and play” or “off-the-shelf” cyber security program. You need to roll up your sleeves and develop a program that suits the particular needs of your organization.
2. Network with Industry Peers
When it comes to developing a program, you shouldn’t be on an island. Your peers and industry colleagues can be your greatest resource. Networking is critical. If you are new to cyber security, consider joining regional networking groups like B-Sides, or groups like the International Information System Security Certification Consortium (ISC2), ISACA, InfraGard, and Information Systems Security Association (ISSA).
These professional organizations will give you plenty of opportunities to discuss shared challenges and best practices and to get feedback on ideas. They also offer plenty of educational resources (webinars, training courses, symposiums, conferences) to get up to speed on cyber security program development. Many of these resources are free.
3. Collaborate with Other Departments to Document Policies and Procedures
Oftentimes, cyber security policies, procedures, and plans are written by a single person or small team of people and put aside on a shelf. Meeting compliance requirements can turn into an exercise of marking the checkboxes, especially if you adopt a security framework without weaving in specific security controls.
It’s important to get other business and technology leaders across departments involved in cyber security policy creation. They’ll add a broader perspective that covers the necessary compliance requirements, business risk mitigation, and organizational culture factors that affect the entire company.
4. Assign Responsibilities and Hold Everyone Accountable
Cyber security is not any one person’s job – even if you are the only person with “cyber security” in your title or job description. It’s in the organization’s best interest to identify responsibilities and accountabilities for various aspects of the cyber security program across the entire organization, no matter how large or small it is. Once you identify these responsibilities and accountabilities, it’s equally important that you have an actionable follow-up process to ensure that everyone is performing their respective tasks.
Additionally, it’s easier to hold other individuals accountable when key leaders and decision-makers provide their buy-in on the cyber security program. They need to be involved and engaged in the program analysis and development process and hold themselves accountable as well.
5. Measure Program Metrics and Share Results
You’ll find that unlike other areas of IT, it’s often hard to show ROI for the resources you need to implement for a cyber security program. It’s not like putting together a business case for buying hardware or software. You’ll have to identify measurements for as many aspects of the program as you can and share that information with stakeholders frequently.
In addition, the types of metrics you share with business leaders should be reframed so they understand that building a cyber security program isn’t a cure-all for preventing attacks. Attacks will happen, but the ability to quickly contain those attacks is the measuring stick. As Alex Blau from Harvard Business Review stated, “Having the wrong mental model about what a cyber security program is supposed to do can be the difference between a thwarted attack and a significant breach.”
Given that the average total cost of a data breach clocks in at around $3.92 million, this is something you can’t afford to ignore.
Summary
Implementing a cyber security program is a challenging process, but if you follow these tips, you can cut down on some of the uncertainty. This can help you when you’re trying to prioritize the policies, procedures, and controls that are most critical to your industry and organization. If you’re struggling with finding the resources in house to develop a strategy or manage the day-to-day complexity of juggling your cloud, network, and endpoint security, consider a third-party consulting or managed security services provider (MSSP) that can help you share the burden and ease the load.