Cybersecurity Strategy- Do You Have One?
Do you have a security strategy? I don’t mean locks and guards, I am asking if you have a cyber security strategy. Until recently there has been no shortage of frameworks for best cybersecurity practice and more regulations than most organizations know what to do with. But even with all of that, there have been minimal requirements to have a security program and even less enforcement on the issue.
That is, until now. The New York Department of Financial Services (DFS) has established their Cyber Security Requirements for Financial Companies (23 NYCRR 500 ). The new DFS regulation holds an institution’s senior leadership accountable by requiring an annual compliance certificate signed by a senior officer or board member. This is the first state legislation of its kind and I am sure with all the breaches we continue to see that it will not be the last, whether or not you live in New York.
One of the big differentiators in 23 NYCRR is the requirement for covered entities to develop a Cybersecurity Program. Other regulations require risk assessments and information security policies, but I am not familiar with any that have specifically require a cybersecurity program.
You can think of your cybersecurity program as your security strategy, which is important for the same reasons a business plan, a map, or an architectural blueprint is important. Without any of these you don’t know where you are going or how you are going to get there.
I’m here to let you in on a little secret. It’s not that a security strategy is difficult to create, it’s just that you, the organizational executive has never had to create one before. Everyone you talk to about cyber keeps throwing acronyms and technical terms around that you don’t understand and that has kept you largely at arms length from this topic. Because I don’t think you should be responsible for becoming a security expert I want to break down the mystery of a security strategy so that you can see it is doable and necessary.
Policies and Procedures
It all starts with policies and procedures. You already have these for so many areas of your business, it’s a matter of adding those applicable to security and then training your employees and continuing to make them aware. ComputerWeekly reported that a recent survey conducted at Black Hat Security Conference in Las Vegas revealed that 84% of respondents whose company has suffered a cyber attack attribute it, at least in part, to human error. Policies and procedures could have helped stop a large number of those. Sometimes people just don’t know what to do and with a lack of guidance will do what they think is best.
Risk Assessment
You have to know what your risks are to know what to protect and how to protect it and you do this through a risk assessment. This is required in every best practice framework and regulation I have ever seen.
A risk assessment asks a lot of questions to identify risks, severity, and likelihood. Questions like: What sensitive data do we have, How is the data transmitted and stored? What systems are used to host the data,? How are those systems accessible inside and outside your network? Do those systems have all critical security patches applied? Who are your third parties that access your data? How well are you employees and vendors trained? Who are your adversaries?
Most of this can be assessed through interviews with the people who interact with the data or manage your systems and through automated tools like vulnerability scanners. There is also a professional service called penetration testing where ethical hackers mimic what malicious hackers would do so that you truly understand your security posture and risks from the outside and inside of your network.
Risk Management
Prioritize prioritize prioritize, this will become your new mantra. Once you have completed your risk assessment you will be left with a list of low, medium, high, and critical items to remediate and manage. That can be overwhelming and you can’t fix it all at once so don’t try; the answer is the same whether you are trying to remediate your vulnerabilities or eat an elephant – one bite at a time. It’s a matter of understanding what the highest risks are, the easiest to fix first and those that are less important or more long term to solve for. This is where your security team and security executive is there to help. If you don’t have this team or person in place to run security then you bring in a third party to help with remediation and retesting.
Food for thought – The same ComputerWorld article said “Nearly 55% of more than 130 attendees of the 2017 Black Hat security conference in Las Vegas admitted their organizations had been hit by cyber attacks.” The reason I say that is very common to hear “it won’t happen to me.” Risk management is how you help ensure that it won’t happen to you.
Continuous Monitoring
Continuous monitoring, regular control testing, and at least annual risk assessments is how you keep this going. It is not a one and done project. This becomes an operational part of your business just like keeping the lights on. Whether it’s your internal team or third party consultants that help you achieve this, it must become part of your daily culture of security.
This includes implementing and maintaining technologies that can prevent a cybersecurity event and the processes and technologies for detecting cybersecurity events, responding to events and mitigating risks, and recovery from events.
If you are still wondering “how will I accomplish all this?”, don’t worry I understand that is a real question and concern. In my next article in this series I will discuss resources with you and the how you will do this. I want to make this as simple as possible because your organization, people, and customers need to be protected from malicious individuals and from costly errors. Please note I said simple, not easy; with the right people creating the strategy is simple, but it will take time and resources along with a culture of security to make it happen.
***
If you don’t want to wait for the next article email sharon@c-suiteresults.com to start discussing the resource or strategy questions you have now. Sharon provides virtual Chief Information Security Officer (vCISO) services, consults with clients on security strategies, writes policies, and helps organizations of all sizes become and maintain secure and compliant.
You are a successful CEO, passionate about the continued growth and health of your organization.
Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.
But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!
WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.
I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.
Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.
Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?
WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.
NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/|You are a successful CEO, passionate about the continued growth and health of your organization.
Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.
But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!
WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.
I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.
Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.
Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?
WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.
NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/|You are a successful CEO, passionate about the continued growth and health of your organization.
Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.
But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!
WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.
I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.
Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.
Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?
WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.
NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/
Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.
But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!
WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.
I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.
Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.
Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?
WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.
NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/|You are a successful CEO, passionate about the continued growth and health of your organization.
Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.
But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!
WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.
I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.
Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.
Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?
WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.
NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/|You are a successful CEO, passionate about the continued growth and health of your organization.
Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.
But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!
WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.
I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.
Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.
Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?
WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.
NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/
Latest posts by Sharon Smith (see all)
- Using the Golden Rule to be a Better Leader - July 2, 2018
- Arming the Cyber Defender – Your Employees - May 8, 2018
- The Secret to Hiring Cybersecurity Professionals - May 3, 2018
