As we noted in a recent blog post, “The Smarter Way to Think About Cybersecurity,” many organizations subscribe to the myth that cybersecurity is a technical problem for which there should be a technical solution. This mindset is problematic because it drives companies to try to buy their way into being cyber secure. Companies search diligently for a simple solution and end up spending a lot of money on various platforms and products, none of which quite seem to fully address the real issue. This approach simply doesn’t work. What they often don’t realize is that the fundamental cybersecurity problems we face today stem from non-technical sources, such as human psychology, economic incentives, and time constraints.
To dismantle this myth, organizations must adopt a holistic, long-term risk management approach to cybersecurity. Companies must implement an integrated set of technologies, business practices, and policies that address all aspects of cybersecurity: technical, economic, psychological, and business operations. There are multiple facets to making this mindset shift. Some involve internal organizational changes, while others focus on external actions. Here we explore the five steps organizations can take to substantially drive down their internal cybersecurity risks to a more manageable level.
Step 1: Make Cybersecurity a Priority in the C-Suite
Cybersecurity needs to become a priority for the C-level executives in every organization. Executives should discuss it regularly at senior management meetings or board meetings, and they should incorporate cybersecurity as a standard topic for review and discussion in order to create accountability. Organizations that focus on cybersecurity as a management priority can improve their performance, even if they do not make other investments in terms of technology. Leadership can further make cybersecurity top-of-mind by incorporating cyber risk management into the company’s overall strategic initiatives.
Step 2: Communicate Cybersecurity Goals
Once leadership has adopted the risk management mindset, they need to communicate cybersecurity goals and expectations across the organization and create a structure to foster clear communication between and across different parts of the organization. For instance, the business side needs to understand a company’s cybersecurity priorities, while its network defenders need to understand business priorities. Finally, executives need to make sure that the workforce understands the specific cybersecurity steps the company is taking to improve its cybersecurity “hygiene” (i.e., a growing awareness of phishing and proper password management with regular emails, meetings, or other discussions).
Step 3: Adopt a Risk Management Framework
No company would go into a new business deal or try to reduce their litigation risk without a strategy for achieving those goals, yet many don’t adopt a strategy for managing cyber risk. Fortunately, these strategies don’t need to be created from scratch. There are many resources, including the NIST Cybersecurity Framework, one of the most effective in my opinion, particularly because it’s an executive-level guide for how to think about an organization’s cybersecurity, rather than a highly technical handbook. Companies should select the framework that works best for their organization and then adopt it throughout.
Step 4: Develop Performance Metrics and Hold People Accountable
Although really good performance metrics for cybersecurity are hard to come by, there are some basic ones that can help companies track their progress against measurable goals. Some examples include the CIS Benchmarks produced by the Center for Internet Security. The SANS Institute also has strong papers on this topic. The goal here is to measure and improve over time. These metrics can also be used to define an acceptable level of cybersecurity risk and mitigate unacceptable risks as needed.
Step 5: Increase Resiliency with an Incident Response Plan
The hard truth about cybersecurity is that it’s virtually impossible to protect all of your data all of the time. Organizations should have a plan for when breaches or other incidents do occur. By doing so, they can dramatically reduce the impact that an incident can have on the organization. While organizations will have different plans based on their unique circumstances, processes, and priorities, incident response plans should incorporate, at a minimum, these attributes:
- Encompass all aspects of incident response, not just the technical elements, including workforce communication, media, legal/oversight, and other relevant activities;
- Identify who has responsibility for which activities during an incident;
- Outline the steps you will take in each of these areas when a cyber incident occurs: who will you call (e.g., your executives, government officials, legal counsel, etc.), how will you communicate what happened to other organizations, and how you will handle public relations?
- Identify the conditions under which the organization will seek outside incident response assistance;
- Lay out the steps for rapid recovery when a breach occurs; and
- Call for regular, offline backups of data.
Most importantly, once this plan is developed, it must be exercised and practiced regularly so that all members of an organization know what to do and when to do it, from the network defenders all the way up to the C-suite. Making this process second nature will greatly improved your response to a cyber incident, thereby, increasing your overall resiliency.
Combine an Internal Risk Management Mindset with Outside Assistance
Cybersecurity risk management can appear intimidating, difficult and complicated, which is why many companies are tempted to outsource the process entirely. Bringing in outside expertise makes sense for certain aspects of your cybersecurity and, of course, there is a plethora of cybersecurity vendors who provide tools that are instrumental in preventing security breaches (and we’ll outline best practices for assessing external expertise in an upcoming blog post). However, these vendors cannot secure every aspect of an organization’s infrastructure. There are many practices that an organization must undertake itself because only the internal teams understand the ins and outs of how these systems work for the business. Outsourcing can be part of the toolkit, but it shouldn’t be a company’s entire security strategy.
These five steps are not technically complicated, nor do they require deep cyber expertise. Almost any organization can take these steps to improve their cybersecurity, and if more companies did so, the level of cybersecurity across the entire digital ecosystem would improve significantly. But these steps are not the end-all — once an organization has its internal house in order, it needs to consider how to interact with the broader world. That topic will be the subject of my next blog post.