Piecemeal cybersecurity programs are not only costly to maintain, they can introduce business-disruptive risks to your organization. In my experience, CISOs and CROs who start with the end in mind have a strategic advantage over organizations that implement short term changes, which are often times done in reactive mode. Take a step back and think about what you are trying to achieve with your cybersecurity program, keeping in mind some key objectives:
Build a solid foundation first.
This means knowing your business and the people who support it. Catalog and identify your assets, business processes and services, and the people you employ. Understand what business processes and services are critical, what assets are used to support these, and what underlying dependencies could be impacted should something interrupt your business. Maintain a regular process to frequent this information and ensure it stays up-to-date. This will ensure not only that the rest of your cybersecurity program is cohesive, but that there are no gaps that could cost you later.
Often times I meet with clients that failed to build up their Configuration Management Database (CMDB) and define ownership and criticality early in the game. While this is a large-scale effort, it is crucial to make this an ongoing program to facilitate automation and sustainability later on.
Think about automation.
The art of automating your processes can be more challenging than it seems. I have seen organizations try to tackle everything at once, only to fail when it comes time to implement. This is an iterative process. Document and understand your current processes first and involve key stakeholders early; what may seem like it has been working for years may need to be re-engineered. Before implementing these workflows across technology platforms, orchestrate them at the people layer-- and ask your business end-users if the process is optimal. Once optimized, only then should you implement technology solutions to further support these processes, and always opt for technology platforms that can support multiple, enterprise-wide processes, rather than trying to piece together multiple point-solutions that are costly and difficult to maintain. Finance, and your stakeholders, will thank you.
Stay ahead when it comes to compliance.
Let's face it, compliance is challenging. Looking at compliance proactively not only eases challenges with audits, but it can be a key competitive advantage when a failure to comply impacts your business. Compliance is a risk that must be identified, monitored and continuously assessed, and capturing this information is key for long-term sustainability. Organizations that rely heavily on people and process, with little regard for technology, may find it difficult to stay up-to-date on changing regulations. Forward-looking organizations benefit from early adoption of changing regulations, giving them time to strategically modify their programs, rather than reactively playing catch-up.
Take a risk-based approach.
When it comes to the role of a CISO or CRO, the goal is to make sure that the business keeps moving with minimal disruptions. Whether this means making sure there are no large-scale, business-impacting breaches, or that third party vendors continue to support your business critical services, it is important to be aware of risks that could derail operations. Risks should be identified using a top-down and bottom-top methodology, incorporating both enterprise and IT risks for a holistic risk management program. Know who your employees and vendors are, what processes they support and what assets they touch, and maintain proper controls to mitigate the risk of disruption. This could mean bottom-up analysis of segregation-of-duties violators, for example, all the way to picking your vendors based on their cybersecurity posture, limiting fourth-party risk. Whatever approach you may have, make sure you cultivate a risk-centric culture involving cross-functional stakeholders in order to truly assess your risk posture.
By taking a long-term approach to cybersecurity, it may require a greater investment up-front to see results, but the end results are worth it. This proactive approach provides the tools to better cope with a rapidly-changing industry, whether that change comes from evolving threats or regulations.
