In over a decade watching cybersecurity threats evolve and organizations respond, it strikes me that every organization has to start from the basics and is challenged to retain that core focus, no matter how expansive their security programs get. That’s why this first post in a series exploring the fundamentals of security preparedness will focus on the basics. Let’s discuss practical steps that turn cybersecurity preparedness into more than just a risk avoidance cost center.
If you’ve avoided implementing a holistic cybersecurity program or if you think you’ve got the basics and are ready for the next step but would like to confirm that you’re on the right track, this post is for you.
Who Should Implement a Cybersecurity Program?
Everyone – even if your company wasn’t “born in the cloud.” All companies are now cloud companies. Internet connectivity comes with inherent risks which can be managed, but never eliminated. Security is diametrically opposed to ease of use and modern commerce demands you provide customers with the easiest means of purchasing and using goods and services.
What Are the Basics?
Privacy. If you are storing, using, or gathering any information that can be used to identify an individual (and you probably are, even if it’s not your core business model), you’ve got a lot to deal with! While compliance with international privacy laws like the GDPR gets a lot of coverage, be sure you cover the basics.
Governance/Compliance. Sure compliance can seem costly and dry, but if you’ve got great security practices and don’t have them documented, you can’t tout them to your customers, use them as a shield against regulators, or make sure they are being followed as your company grows. Customers care about security. Governance is a way to demonstrate your organization is serious about it.
Security. Even if it’s not your core focus, security is a critical part of your business. But you can maintain a robust security infrastructure and limit your costs.
Incident Response. What will you do when you experience a compromise or data breach? Are you prepared to face down an Advanced Persistent Threat like a nation-state backed squad of professional hackers? Maybe not, but you need to be prepared to marshal the resources who can while continuing to run your business.
What if I Already Have Those Covered?
These are just some of the fundamentals. Build detail and resiliency into your organization to help ensure you have a more granular understanding of your systems & data and that your organization can maintain a response while continuing business operations. If you have a response team identified: prepare the back-up team to eliminate single-points of failure in your personnel. Personnel silos are one of the most common risks. Do you have a common set of practices any employee can follow?
Where Do I Start If I Don’t?
Start with response. It is the backstop to failures in any of the other areas and will help you to build a collaborative team which can address the other organizational challenges in a way that brings value to the company.