The ABC’s of an Effective Cybersecurity Program
Eight years ago, when I joined LMG Security, few people outside of IT staff were familiar with the term “cybersecurity”, and even fewer people were concerned about creating a strong cybersecurity program. Some executives and staff members were familiar with the term “information security”, but even then, most viewed it as an “IT problem”, and executives did not give it further thought.
Today, through the proliferation of ransomware, cyber extortion, business email compromise, and the like, executives and non-IT staff alike are beginning to understand that cybersecurity is everyone’s responsibility and concern. Many organizations now realize that cybersecurity risk is business risk, and that they must build and maintain a strong cybersecurity program or risk losing everything. With today’s evolving threats, creating an effective cybersecurity program can seem like a monumental task, so let’s break it down and get back to the basics.
A Checklist for Building an Effective Cybersecurity Program Using the ABCs
Whether your organization is just starting to build a program, or you have a program but want to ensure that you are covering all of your bases, the following “ABCs of an Effective Cybersecurity Program” checklist is for you. Start with these steps:
- Assign Roles and Responsibilities. Ultimately, people are the ones that design, build, and implement your cybersecurity program. The best hardware and software tools in the business still cannot protect your organization on their own. People are required to monitor, interpret, and act on intel. Ensure that you have an experienced cybersecurity professional leading your program, and budget for appropriate staffing at all levels. If you don’t feel that you have need or budget for a full-time person with a particular set of skills, outsource as needed to ensure that you have qualified and trained personnel responsible for each component of your cybersecurity program.
- Build Your Cybersecurity Program. Every organization should have a formal, written cybersecurity program which is designed to comply with relevant laws, regulations, and other obligations. It doesn’t have to be fancy, but it must be usable. You can start with a spreadsheet that identifies the laws, regulations, and obligations that apply to your organization. If you are not sure what those are, go back to “Assign Roles and Responsibilities”. You may need to outsource defining that part of your cybersecurity program to internal or external legal counsel. Don’t forget to clearly document WHAT you are trying to protect in board terms. Is it the organization’s intellectual property, is it people – like employees or customers – or is it the infrastructure in general? Ensure that everyone is clear on the overall goal. You can get more detailed information in our blog, 5 Rules to Live By for Strong Cybersecurity Policy Development. The program should be reviewed and updated at least annually, or more frequently as needed.
- Choose and Use a Cybersecurity Controls Framework. Use a reputable cybersecurity controls framework as the foundation for your cybersecurity program, such as the NIST Cybersecurity Framework or ISO 27001. If you are not sure where to start, or which best fits your organization, ask for help from qualified compliance specialists. You can also start by reading this Beginner’s Guide to the NIST Cybersecurity Framework. Once you’ve chosen a framework, you can customize it as needed for your organization.
- Develop Your Risk Management Plan. When you “Built Your Cybersecurity Program” you identified an overall goal. Dig deeper on that goal. What specifically are you protecting? Then, ask what are the threats to those items you identified, and how can you effectively reduce the risk to them. Create, implement, and maintain a plan for prioritizing and addressing cybersecurity risks. Make sure to prioritize security technologies that will effectively reduce risk and start with the low hanging fruit. For example, if you are not currently using multifactor authentication throughout the organization, implementing it may drastically reduce risk across a large area. Update this plan as often as practical and engage someone to assess your risk annually. You can read this blog for tips on how to measure cybersecurity risk. Don’t forget to proactively include supplier risks. If a supplier faces an incident, what are the ramifications to you and how can you reduce your risk of harm?
- Engage in Training and Awareness. Training everyone in your organization to be a first line of defense against cyberattacks is crucial to a successful cybersecurity program. Routinely communicate cybersecurity policies, procedures, and threat updates to stakeholders, including IT staff, security team members, legal counsel, general employees, and the leadership team. Popular formats include on-demand training platforms, live webinars, and campaigns like Lunch and Learns, posters, and regular emails – all can create a culture of cybersecurity awareness. Read this blog for more details. Don’t forget to account for specialized training that might be required for your cybersecurity, executive, and IT teams.
- Fund your Cybersecurity Program. Funding is important! No cybersecurity program can address every risk. Make sure to prioritize investments in cybersecurity so that they are aligned with risk. Let the work you have done in the previous steps drive your investment decisions. Funding is not just for hardware and software. It may include allocating budget for human resources, services, monitoring, education, and more. We recommend having a long-term plan to grow your cybersecurity maturity each year and prioritizing the expenses over time. Read this blog on planning cybersecurity maturity gains for more details.
- Get Cyber Insurance. Select cyber insurance coverage based on the anticipated residual risks to ensure that appropriate risks are transferred. Coverage should be aligned with your leadership’s risk appetite. Maximize the value of your policy by ensuring you fulfill all the requirements and integrate it into your incident response programs. Make sure that you clearly understand what the policy covers. Does it cover the cost of ransom payments? Insider threat? What about losses incurred due to outages during an incident? Once you have a policy, make sure that the appropriate people know how to activate it and file a claim in the event that it is needed. Watch this short video for updates on cybersecurity insurance trends.
Creating a strong cybersecurity program may seem overwhelming at first, but just like eating an elephant (I never understood that – do people actually try to eat elephants?) tackling it one bite, or step in this case, at a time will provide your organization with a long-term, sustainable program ready to meet the changes and challenges to come.
If you need help designing a cybersecurity plan or with training, or technical controls implementations, contact our experienced team. We are ready to help!