How to Lead a Cybersecurity Initiative

by Sarah Harvey / September 11th, 2018

Are you a CISO, CCO, ISO, or member of the IT department that’s building and leading a cybersecurity strategy? Don’t know where to start? The foundation of a cybersecurity strategy should be built on basic principles of security – patch management, risk assessment, network monitoring, vulnerability management. From there, you must cultivate awareness of the evolving threat landscape, observe regulatory responses, continue to train and invest in your team, and have executive support of your strategy.

The Threat Landscape

Modern businesses require some type of connection to cyber space, opening them up to new risk factors. When building a cybersecurity strategy and a cybersecurity risk management program, it’s crucial to assess internal and external threats that pose risk to your organization. Cyber threats are becoming more and more sophisticated every day. Cyber threats pose major financial, organizational, and reputational risks to all industries, regardless of the size or type of a business. Phishing, whaling, Petya, WannaCry, DoS/DDoS – organizations must learn from others’ mistakes about the complexity of these threats and the amount of damage they cause.

Observing Regulatory Responses

Regulators have responded to the evolving cyber threat landscape, and so should your organization. The AICPA saw a need in the industry that it could fill: a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Thus, SOC for Cybersecurity was created. NY CRR Part 500 established cybersecurity requirements for financial services companies in New York, which requires that companies develop a cybersecurity program that protects sensitive customer information and the confidentiality, integrity, and availability of companies’ information technology systems. NIST, PCI DSS, penetration testing, vendor compliance assessments – these are all responses to the ways information systems are incredibly interconnected and how organizations can protect their data, network, systems, and assets.

As new tools, requirements, and frameworks become available, evaluate which ones apply to your organization or which you should consider being tested against. A strong cybersecurity initiative requires that your team know how industries and regulators are responding to cybersecurity threats.

Investing in Your People

There are threats coming specifically for your employees, so there are many new policies and procedures to introduce to them as a part of your cybersecurity strategy – system access and privileges, appropriate use, logging methods, new tools. Your employees need to know what all of this means and how to protect themselves. You never want your cybersecurity strategy to be secretive, confusing, or unengaging; this will leave your team uninterested and unmotivated to support the initiative.

A cybersecurity strategy must also involve training. Security awareness is your first line of defense, so invest in relevant, engaging, consistent training. For those team members who are an integral part of your cybersecurity strategy, provide appropriate professional development to keep them up-to-date on methods and techniques that could be used against new threats.

Executive Buy-In

Executives, management, stakeholders, boards, and integral business partners all need to support your cybersecurity initiative. Without the tone from the top attitude, cybersecurity risk management programs cannot thrive and function the way they are intended to. How do you gain their support?

• Communicate that your cybersecurity strategy aligns with business objectives.
• Provide examples of real cybersecurity incidents, whether they’ve occurred at your organization or to someone else in your industry, and then explain how your cybersecurity strategy could’ve prevented that incident. You want to use real-world examples to explain the gravity of the threats and the need for your program.
• Data breaches take a financial hit on any organization. Communicate the cost of a breach to management and then explain how your strategy is a form insurance.
• Explaining the competitive advantage of cybersecurity efforts is always a safe bet for securing executive buy-in. Your clients want to know that you’re doing everything possible to keep their data and assets safe; they may be more loyal to you if you can demonstrate the cybersecurity controls and program that you have in place.
• Describe the types of cybersecurity attacks that target them. The logic behind whaling attacks is to target the most senior-level employees because of their authority and amount of access. It’s not uncommon for whaling attacks to work, because so many executives do not participate in the same security training as other employees.

Interested in learning more about protect your organization from cyber threats? Contact us today and we’ll get you started on the right path!