Making Your Cybersecurity Program a Success
By Bob Turner, Higher Education CISO, University of Wisconsin-Madison
We are constantly reminded of the increasing threat to information and systems and data. Every day there is a new angle the threat actors, criminals, cyber punks are taking to disrupt, destroy, or damage your business. Likewise, the speed and complexity of IT transformation accelerates the pace of change and intricacy in cybersecurity and information protection. Cybersecurity is a cultural issue that is more than just the latest tool or concept for finding and preventing evil within your corporate information and technology enterprise.
What is your corporate measurement of success for your cybersecurity program?
Many will tell you that avoiding the dreaded appearance on the six o’clock news is the primary measure of success in cybersecurity. A more reasonable approach is using set of metrics developed from your security framework. Choose a framework from sources like the International Standards Organization, the National Institute for Standards and Technology, or the Center for Internet Security’s 20 Critical Controls. Choose one that fits your organization’s technical information architecture, business models, internal dynamics, and outward facing communications structure. Choose a methodology that provides success criteria you can defend to the Board of Directors! Just pick one!
CAUTION! Frameworks are a baseline! Simply accepting the baseline is not always secure. Understand the value proposition… supplement with controls that create the security your users deserve.
Success is knowing where your benchmarks are and establishing key performance indicators you can clearly see and easily measure.
How mature is your cybersecurity program?
Your mileage may vary. Although, if you are learning from your experiences, good or bad, you are maturing. ISACA and the CMMI Institute recently published a Cybersecurity Maturity Assessment model with the people, process, and technology aspects the CISO can use. Address operational practices with standards and compliance in mind. Understand your Board of Directors concerns with organizational and investment priorities and risk appetite. The NIST Cybersecurity Framework also includes a maturity model with tiers for policy, procedures, implementation, test, and integration; which is useful in determine where the organization sits with the cybersecurity core event life cycle of identify, protect, detect, respond and recover. Understanding where your program sits on the maturity path will help you to determine success. Success in the early stages of maturity is still success!
"Cybersecurity is a cultural issue that is more than just the latest tool or concept for finding and preventing evil within your corporate information and technology enterprise"
What are your cybersecurity strategy and guiding principles?
Once you have a handle on the way your program will work, the energy should shift to developing and implementing a strategy with policy, standards, and implementation plans. Start with a strong and relevant set of Guiding Principles–know your data, know your architecture, and know the industry related issues (FERPA, HIPAA, GLBA, etc). Understand your environment to include assets and attributes like hardware, software, and standard configurations (CIS Critical Security Controls).
Be aware of the revolution in privacy concerns–bake it in now! Become familiar and incorporate the emerging privacy principles, law and doctrines like the European Union General Data Protection Regulations or the California Consumer Privacy Act of 2018. Know how you address employee behaviors and workplace issues and incorporate business and organizational perspectives.
Success is in having the community agree to these guiding principles! You cannot socialize enough on this task.
How often do you “talk cyber” to your constituents and stakeholders?
Communications and awareness are key to moving the program from paper, charts, and graphs to real culture change. Know your audience’s tolerance for negative messages that invoke fear, uncertainty and doubt (my preference– avoid FUD as much as possible–but then I am a glass-half-full guy). Develop the ability to sort through the vendor hype for real information worth sharing.
Communicate early and often using messages the community understands. Develop your message(s) with a cross section of business, IT and security groups and use constituent community boards. Above all, have a written communications plan that encourages constant and consistent messages, how to address executives and the Board of Directors, how to manage crisis communications, and how you communicate change.
Use the feedback you receive and be careful not to make large changes from small amounts of imperfect data. Involve your community through education and feedback focused on your key performance indicators. Cybersecurity is like Novocain, you sometimes need to give it a bit of time to work before you start poking around with sharp instruments.
Success is when you express your message in organizational terms and examine feedback to track trends, then report!
A successful program…
…is not a bolt-on for projects to check a requirements block. Successful cybersecurity programs incorporate frameworks and best practices that change the organizational DNA. To keep your business functional and thriving, your cybersecurity program has to be an integral part of the business and mature in providing the right people, processes and technology—at the right cost—at the right time. Make your program a value center instead of a cost center.
Successful cybersecurity programs are core to the business and never exceed the value of the information and systems the program is designed to protect.