With the ongoing shortage of cyber security professionals, more IT professionals are finding themselves assuming responsibilities to cover their organization’s cyber security program. The landscape is even more difficult to navigate given the many information security standards and regulations that industries most follow. For large and small business professionals alike, keeping up with all the different controls within these standards can be difficult.
If you are new to cyber security, and overwhelmed by where to focus, here are a few tips to consider before you start.
1. Choose a Framework Over a Compliance Checklist
Many organizations are still heavily focused on beefing up their security to meet compliance requirements. Trust me, nobody wants to fail an audit. How can you best avoid an audit failure? Go beyond a simple checklist and develop a well-rounded, comprehensive security program based on a framework that helps you implement appropriate control measures.
There are plenty of framework comparison reference materials available online to help you understand commonalities and differences between NIST, ISO, CIS, Cobit, and other programs. According to the NIST Cybersecurity Framework (CSF), NIST has been adopted by about 30 percent of U.S. companies since its release three years ago, and that number could reach 50 percent by 2020. Keep in mind, you aren’t going to find a plug and play or off-the-shelf cyber security program. You need to roll up your sleeves and develop a program that suits the particular needs of your organization.
2. Network with Industry Peers
When it comes to developing a program, you shouldn’t be on an island. Your peers and industry colleagues can be your greatest resource. Networking is critical. If you are new to cyber security, consider joining regional networking groups affiliated with (ISC2), ISACA, InfraGard, and ISSA.
These professional organizations will give you plenty of opportunities to discuss shared challenges and best practices, and to get feedback on ideas. They also offer plenty of educational resources (webinars, training courses, symposiums, conferences) to get up to speed on cyber security program development. Many of these resources are free.
3. Collaborate with Other Departments to Document Policies and Procedures
Oftentimes, cyber security policies, procedures, and plans are written by a single person and put aside on a shelf. Meeting compliance requirements can turn into an exercise of marking the check boxes, especially if you adopt a security framework without weaving in specific security controls.
It’s important to get other business and technology leaders across departments involved in cyber policy creation. They’ll add a broader perspective that covers the necessary compliance requirements, business risk mitigation, and organizational culture factors that affect the entire company.
4. Assign Responsibilities and Hold Everyone Accountable
Cyber security is not any one person’s job – even if you are the only person with “cyber security” in your title or job description. It is in the organization’s best interest to identify responsibilities and accountabilities for various aspects of the cyber security program across the organization. Once you identify these responsibilities and accountabilities, it’s equally important that you have an actionable follow-up process to ensure that everyone is performing their respective tasks.
It’s easier to hold other individuals accountable when key leaders and decision-makers provide their buy-in on the cyber security program. They need to be involved and engaged in the program analysis and development process and hold themselves accountable as well.
5. Measure Program Metrics and Share Results
You will find that unlike other areas of IT, it’s often hard to show ROI for the resources you need to implement for a cyber security program. It’s not like putting together a business case for buying hardware or software. You will have to identify measurements for as many aspects of the program as you can and share that information with stakeholders on a frequent basis.
In addition, the types of metrics you share with business leaders should be reframed so they understand that building a cyber security program isn’t a cure-all for preventing attacks. Attacks will happen, but the ability to quickly contain those attacks is the measuring stick. As Alex Blau from Harvard Business Review stated, “Having the wrong mental model about what a cyber security program is supposed to do can be the difference between a thwarted attack and a significant breach.”
Implementing a cyber security program is a challenging process, but if you practice our tips, you can cut down on some of the uncertainty while prioritizing the policies, procedures, and controls that are most critical to your industry and organization.
Are you struggling to build a program? Check out our advisory services and learn more about our program development solutions.