What to Consider When Creating a Corporate Cybersecurity Program
What is one of the most important challenges we face as a nation? The White House says, “Cybersecurity.” In recent news, the U.S. government reported 5.6 million fingerprints were stolen from federal personnel data due to a cyber hack.
According to a recent study, “State of Cybersecurity: Implications for 2015”, 82 percent of organizations expect to be attacked this year alone. As the end of the year rapidly approaches, here are seven steps to consider when building a cybersecurity program recommended by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This can help you avoid a cyber attack for the remainder of the year, prevent another one and/or begin to prepare for 2016.
Identify the Goal
For any plan or program, it helps to know the security goal. Research your company’s mission, operational priorities and business strategies to effectively create a cybersecurity program. The goal is used as your framework to support current business practices and allow you to identify any current risks.
Once you have your goal in place, dig deeper into not only the current risks, but also the current business practices including systems used and applicable regulatory requirements, to help identify any current or potential threats to your systems or assets.
Create a Current Profile
Using established cybersecurity ‘best practices’, your company should create a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved through your strategy.
Assess the Risks
In order to gather new processes, understanding the organization’s current procedures can create a more effective program. Pose these questions to get started:
• Does your organization have a current or previous risk management process or risk assessment activities?
• What type of risks has the organization faced?
• Are there new any potential risks to fold into this effort?
Create a Plan
Now that you are aware of the goal, you have more information on applicable current business practices, a profile has been created and you have assessed the risks, you are ready to map out your plan. Create a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes.
As in most programs, there are opportunities for improvement and growth. Before executing your cybersecurity program, review your plan for any gaps that might have slipped through the cracks. Analyze the gaps and create a prioritized action plan to address gaps that draw upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the Target Profile.
Creating an action plan gets you closer to recognizing your resources and leads you to making informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.
Execute the Plan
After combing through the gaps, you are now ready to execute your cybersecurity program. How do you know if the plan is effective? To answer that, there are two keywords to keep in mind: measure and monitor. Monitoring the plan is imperative to determine what works and what needs more work.
While this is a well-established framework for creating a cybersecurity program, it can be adjusted to fit the culture of your company. As you implement your strategies, you might learn that one step works more efficiently or more thoroughly if given more resources and focus than others. That’s fine. The key is to have a solid cybersecurity program in place to eliminate cyber hacks and protect your organization.