A Quick Self-Assessment to Help Optimize Your Cybersecurity Program
Answer “no” to any of the questions below and a cybersecurity review might be just what you need.
- Do you know what your program is supposed to be protecting?
Many organizations have fantastic defenses in place, but when you dig a little deeper, there is no justification for the spend. When assets are identified with values assigned to them, we can more accurately decide what should be spent to protect those assets.
This is what is meant by a “risk-based program”. We know what is at risk and we know how much to reasonably spend to protect it. Often times you’ll hear “don’t buy a $20 lock to protect a $10 bicycle” as an analogy associated with risk-based evaluations. If you haven’t done a risk assessment to identify assets and their value, how do you know how much to spend to protect them?
Risk in general is a topic for another time, but the thing to remember about risk is that it can be accepted, transferred, mitigated (think: managed), or remediated (think: removed). The takeaway here is there are multiple ways to deal with the risk to an asset.
- Do you have a strategic roadmap aligned with your business objectives?
Once you have identified your assets, it’s time to put together a strategic roadmap. This documents your plan to implement protective measures based on the resources you have at your disposal over a specified timeline.
Each budget cycle, the business identifies priorities, and the savvy cybersecurity leader will find a way to align a portion of their plan to support those priorities or objectives.
An effective method to communicate your plan and gather support is to create a Governance, Risk, and Compliance (GRC) Committee or a Cybersecurity Steering Committee. This brings together your program’s stakeholders and/or partners and provides a platform to keep them informed. You often can avoid pushback for an implementation by simply communicating the need during a committee meeting and getting the support of impacted leaders early on in the process.
Finally, do you use metrics to tell your story? If not, you’re missing a big opportunity.
- Do you review your cybersecurity program regularly?
Your cybersecurity program is in place, but how do you know everything is operating as effectively today as it did six months or a year ago? As the business changes, the cybersecurity program should change with it.
The technologies or managed services you put in place need to be checked for effectiveness and relevance on a regular basis. Does a specific technology you put in place to protect assets from a specific threat still need to be kept up if a newly implemented technology now protects against the same threat? Do you regularly shop on-premise services to ensure it still makes sense to manage those services in-house versus moving to a managed service? Consider shopping your managed services with other vendors to ensure you’re getting the best value.
Another metrics mention for you: they are an excellent way to measure if your services – on-premise or managed – are doing the job you think they are. Metrics can communicate to non-technical stakeholders through numbers and/or graphs.
- Are you adequately prepared to face a constantly changing threatscape?
Have you ever heard the phrase “you don’t know what you don’t know”? Nothing is truer when you’re referring to the ever-changing threatscape we operate in as cybersecurity professionals.
One way to even the playing field is through a commitment to cybersecurity awareness. In regulated industries, cybersecurity awareness is a requirement, but in other unregulated areas it’s not as cool or sexy as the latest cybersecurity toys. What it lacks in glitter, it makes up for in effectiveness.
An investment in cybersecurity awareness provides returns in multiple forms.
- It applies to the entire organization.
- It’s a cultural shift that empowers a sense of ownership among everyone in the organization.
- A “not on my watch” mentality will quickly develop.
- It applies to the cybersecurity team – training provides not only the initial knowledge, but a teaching and team-building opportunity through information sharing.
- It can provide professional development for not only the leader, but the team.
Through cybersecurity awareness, organizations learn rather than be told what is bad and why.
If you’re still not sure if you could benefit from a cybersecurity review, contact us and we’ll help you figure it out.