1. Tone from the TopLike any other major initiative – especially a new corporate-wide initiative – you need the voice of the CEO. A once-a-month email or gratuitous comment by the CEO isn’t enough. Today, I work for a company whose purpose in life is developing and selling software products aimed at mitigating cyber risk, which you would think in and of itself would enable a successful IT Security Program, but it wasn’t enough. We are like any other company who is very busy competing. IT Security is not second nature—controls and processes can be confusing, difficult and sometimes painful to implement and are easy to push down the priority list. As a result, we found the most effective enabler to a successful program is a continuous tone from the top. You need that constant drip of water coming from CEO’s mouth mandating support, reminding leaders that security is not an option and demanding proof that defense systems are developing, progressing and adjusting as necessary.
2. Prioritizing Your Valuable AssetsIn our early journey of taking cyber risk seriously, we all agreed we needed to be secure, but wondered what it meant to be secure. We were searching for the "Easy Button," but quickly found there wasn’t one expert or SWAT team we could hire to come in and fix things in 90 days, then leave and let life continue. More importantly, there are many valuable assets that need to be protected and “value” was like beauty; its in the eye of the beholder. Sitting in these networking events and listening to peers discuss their risks and justifying the highest value assets (e.g. credit card data, HR data, website, reputation, brand, intellectual property, financial records, etc., etc.). Once you get the constant tone from the big guy on top, its now up to you to manage and prioritize what assets need to be protected first. Further, once you find your top two or three, you are likely to find the defenses required to protect these assets will vary in their prescription, let alone the technical IT environment were these assets reside varies significantly. In fact, many of us thought the "Easy Button" would come from managed service providers or the infamous “Cloud.” Experience tells me its not that easy and these environments coupled with a dynamic business will often compound the challenge.
3. Finding and Using a Credible Cybersecurity FrameworkI remember sitting in an early security meeting asking myself, what the heck is a framework? It sounded like a fancy hi-tech or IT buzzword that God only knows what it means! I think my eyes were glazed over when I first heard it, but I found that after about six months of frustration of not getting anywhere working with a group of people from my IT team, my boss the CEO, and a couple of other smart guys from engineering that its actually a very important tool – maybe the most important tool. Today, its like my American Express—I wouldn’t leave home without it. Seriously, its imperative to dissecting, prioritizing and communicating. A security framework effectively provides a roadmap that when done well will set out understandable priorities that enable clear communication on what we have done, what should be done next and whether we are succeeding. If you haven’t thought much about data security yet or if you are frustrated like I was, you will find the security framework is a medium of communication. It allows the techies to speak in "techy speak," but also allows me to understand and see what they are talking about and where all the technical solutions fit into the list of priorities. Said another way, if one of your security professionals come to the meeting saying we need to buy a IPS, IDS, Next Gen Firewall, anti-malware, threat protection, endpoint protection, etc., all you have to do is ask where it fits in the framework – if its below something on the priority list that isn’t complete, you can ask why and drive the conversation on investments, risk and benefits. I’ve also found the security framework is very effective in communicating to the Board of Directors. Remember, many of these people are often in retirement (or near retirement), and IT security means antivirus (if you are lucky). Having a good organized framework provides that same communication medium that enables a productive conversation with our technical staff. Its beautiful to begin to see alignment between the Board, the “C” suite and the team executing the plans. BTW, I found the Council on CyberSecurity's Top 20 Critical Security Controls as a very helpful framework. Its kind of like Generally Accepted Accounting Principles (GAAP) in that it helps define what is good and also prioritizes good vs. better. In summary, defending against cyber-attacks is hard work, the journey is long with many detours and kinks and the road. There are no "Easy Buttons." Also, each person and company’s experience is certainly different, but I believe having the three keys listed above will help reduce that frustration.