Creating a cyber risk aware culture requires awareness at your company in which every employee takes responsibility for cybersecurity. Get the tips to make this easier.
Cybersecurity is a multifaceted topic with many constantly evolving variables. For CISOs and other security leaders, just knowing where to begin can be a challenge.Let’s say you’ve just taken over an organization’s cybersecurity program, or have been tasked with building one from scratch. You have a limited budget and limited personnel, so you can’t accomplish everything at once. Which tasks deserve your focus in the critical first few months?
We’ve rounded up some cybersecurity tips from industry experts to help guide your initial strategy.
1. Start with the Data
“Security” is a relative term. What exactly are you keeping secure? The first priority for any security leader should be developing an understanding of the data they’re supposed to be protecting.
A security leader must understand what data is most valuable to their organization. This could include the usual suspects like personally identifiable information (PII) and credit card data, but might also extend to items like trade secrets, manufacturing data, or intellectual property.
“If you were a cyber criminal, which data would you want to steal?” asks Jake Olcott, VP of Strategic Partnerships at BitSight. “That’s where you’ll probably find your most sensitive data.”
What does “sensitivity” mean? According to Olcott, “you could define sensitivity as the data that would have the worst impact if it was stolen.”
Tim Marlin, Head of Cyber Underwriting for The Hartford, agrees that this kind of top-level data analysis is a top priority. He suggests taking an inventory of the business’s core assets and sensitive data.
“Identify where this business information is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and customers (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, company intellectual property and any other information that could damage the business if it got into the wrong hands.”
2. Prioritize Initiatives Based on Data Sensitivity
Once you have an understanding of what data your company needs to protect, it’s important to rank this data from most sensitive to least sensitive. Because you have limited resources, you won’t be able to give equal attention to protecting every last bit of information. Therefore, it’s necessary to decide where you’ll be focusing your efforts first.
This strategy of risk prioritization was recently adopted by the U.S. government. The Department of Homeland Security’s latest cybersecurity strategy is focused on risk prioritization, with one major goal being to “assess the evolving national cybersecurity risk posture to inform and prioritize risk management activities.”
3. Engage with Senior Executives and the Board
While you’re developing and rolling out cybersecurity initiatives, you also need to build a rapport with senior executives and the Board of Directors. Boards are taking an increasingly active role in cybersecurity, with 45% of Board members saying they actively participate in setting the security budget at their company. Therefore, the success of your cybersecurity program will depend in part on how much buy-in you receive from leadership.
“You need to align your program with organizational priorities” says Jake Olcott. “Familiarizing yourself with the goals of senior leadership can go a long way toward building a cybersecurity program that’s effective in the long-term.”
So, how can you go about building this rapport?
Kevin Roden, former CIO of Iron Mountain, recommends taking it to the “land of me.”
"You need to take it to the land of me. If I'm the CFO and this happens, what's in it for me? What does this mean to me and to the business that I'm responsible for? Or if I'm the COO, what does it mean for the business that I'm running?”
Building a good relationship with other executives and the Board might not seem like a high priority, but it’s an absolute necessity for those looking to create a sustainable cybersecurity program.
4. Get to Know Your Environment
Deciding which security policies, controls, and products will best serve the needs of your organization requires a thorough understanding of the IT environment. Complete network audits should be conducted regularly, either by internal teams or third parties. However, when you first come on board, you’ll want an up-to-date assessment fast.
Software is one way to gain this understanding quickly.
“BitSight analyzes a range of externally observable risk factors in your environment to show you which are presenting the most vulnerabilities,” says Jake Olcott. “Ratings in these specific risk vectors can then be used to prioritize your cybersecurity efforts.”
The risk vectors BitSight analyzes include:
- Botnet infections
- Malware servers
- Potentially exploited machines
- Open ports
5. Engage with the Workforce
Senior leaders aren’t the only stakeholders you’ll need to gain favor with as you roll out your cybersecurity program. You’ll also want to devote some resources toward building a good relationship with the workforce as a whole.
Why? Because employees are one of the weakest links in any company’s cybersecurity efforts. According to Verizon, user-related risk vectors like phishing, privilege abuse, and misdelivery made up three of the top five action varieties of data breaches in 2017.
Eventually, you’ll want to work with other departments to implement effective security awareness training for all employees. In the beginning, however, it’s worthwhile to make your presence known with frequent messaging, like a weekly update email.
“When talking about cybersecurity with non-IT staff, it’s important to use as much evidence as possible in your messaging,” says Jake Olcott. “BitSight is a great way to introduce that evidence.”
Because BitSight Security Ratings are easy to understand and simple to track over time, they are the perfect tool for communicating the state of an organization’s IT security to the workforce as a whole. Over time, you can use security ratings to foster a sense of responsibility and accountability for security in every employee.
As your cybersecurity program matures, prioritization will continue to be a useful skill. There are several guiding methodologies one can use to prioritize resource allocation.
Whether you apply the Pareto Principle or some other guiding philosophy, having a defined method in place will help you scale your cybersecurity program with the organization and with the evolving cyber risk landscape.