How to start up a cybersecurity program
Cybersecurity is rapidly growing to be one of the most important business risks to consider for management. Ransomware, data privacy for customers, and monitoring third party suppliers are only a few of the things to manage and prioritize at executive level. But adding the cyber topic to management responsibilities often creates a lot of uncertainty, the biggest being, where do we start?
Here’s our advice on the first steps of setting up a systematic cybersecurity program under management control:
Get to know your current situation
This seems obvious, you cannot orient yourself on a map without knowing where you start from. But in real world, management, on all levels, often take quick decisions to improve security based on advice from product vendors or news flashes, without considering the company’s big picture. This often leads to a technology focus, but as always you need to consider people, processes, and technology. In that order. So, to start improving your security posture you need to get to know where you stand on the ”cyber map”:
Awareness - are your team able to spot a fake email or text message? Try a simulated phishing attack to measure click rates. It will probably be higher than you expect…
Processes - Do you have proper processes in place for access or patch management? Do you have a documented incident response plan and has it been tested? Do you know how your suppliers handle personal data from your customers?
Technology - Do at least a vulnerability scan of your infrastructure and exposed web services, combine that with a penetration test to dig deeper if needed.
Do a Risk Assessment
Use results from the previous three areas and conduct a risk assessment. What are the likelihood and business impact if a hacker takes advantage of any of the findings from the previous steps? The assessment may be thorough or light weight, but it will help you focus your investments on the most critical areas based on business needs.
Use standards and frameworks
Defining and implementing security controls is a tedious job. Leveraging publicly available standards such as CIS Controls or ISO 27001 really speeds up the work and gives you a good benchmark to best-practice. And with a documented gap-analysis you also build confidence of your customers and partners by being able to actually describe the security posture in a well-known, industry recognized format.
Do follow-ups of your supply chain
This is something that has really grown the last couple of years. Your business’ cyber resilience is most likely dependent of third party SaaS or outsourced services in some way. So, you need to have the same insight into you partners security work as to your own. Has your supplier been breached earlier? Where is your customers’ personal data stored or were there any signs of insufficient security controls when they performed their latest security review themselves?
Based on the results from all four areas above you can now define your cybersecurity program. You know your weak spots and which ones to first spend your budget on. You also have the first metrics to start measuring improvements. This would be a true systematic approach to start building a cybersecurity program based on your company´s needs.