With the ongoing cybersecurity skills shortage, a growing number of information security (IT) professionals are being asked to take on new responsibilities for their organization’s cybersecurity program. Estimates show the number of unfilled cybersecurity positions worldwide could grow to 4 million by 2021, which will only make the problem worse.
Even with the severe economic downturn from the COVID-19 pandemic, there’s still a high demand for people with solid cybersecurity skills. New research indicates that COVID-19 has forced cybersecurity professionals to change their priorities and take on new initiatives.
Cybersecurity professionals have also seen a spike in attempted cyber attacks related to the pandemic. In response to the increasing volume of attacks, many organizations are ramping up threat intelligence analysis and fine-tuning security controls, which requires security expertise that many companies don’t have.
Finally, given the many information security standards and regulations that industries must follow, like the Health Insurance Portability and Accountability Act (HIPAA), the cybersecurity landscape has become even more challenging to navigate. For large and small organizations alike, keeping up with all the different controls within these standards can be difficult.
If you’re new to cybersecurity and want to implement a program, but aren’t sure where to focus your efforts, here are five tips to consider before you start.
1) Choose a Framework Over a Compliance Checklist
Many organizations are still heavily focused on beefing up their security to meet compliance requirements. Trust me, nobody wants to fail an audit. How can you best avoid an audit failure? Go beyond a simple checklist and develop a well-rounded, comprehensive security program based on a framework that helps you implement appropriate control measures.
There are plenty of framework comparison reference materials available to help you understand commonalities and differences between programs. Some examples are the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) and alternate frameworks from ISACA, the International Organization for Standardization (ISO) and the Center for Internet Security (CIS). According to NIST, the CSF has been downloaded over half a million times since it was first published in 2014. The CSF became mandatory for government agencies in 2017 but is voluntary for private companies.
It’s important, though, to keep in mind that you aren’t going to find a “plug and play” or “off-the-shelf” cybersecurity program. You need to roll up your sleeves and develop a program that suits the particular needs of your organization.
2) Network with Industry Peers
When it comes to developing a program, you shouldn’t be on an island. Your peers and industry colleagues can be your greatest resource. Networking is critical. If you are new to cybersecurity, consider joining regional networking groups like B-Sides or groups like the International Information System Security Certification Consortium (ISC2), ISACA, InfraGard and Information Systems Security Association (ISSA).
These professional organizations will give you plenty of opportunities to discuss shared challenges and best practices and to get feedback on ideas. They also offer plenty of educational resources (webinars, training courses, symposiums, conferences) to get up to speed on cybersecurity program development. Many of these resources are free.
3) Collaborate with Other Departments to Document Policies and Procedures
Oftentimes, cybersecurity policies, procedures and plans are written by a single person or small team of people and put aside on a shelf. Meeting compliance requirements can turn into an exercise of marking the checkboxes, especially if you adopt a security framework without weaving in specific security controls.
It’s important to get other business and technology leaders across departments involved in cybersecurity policy creation. They’ll add a broader perspective that covers the necessary compliance requirements, business risk mitigation and organizational culture factors that affect the entire company.
4) Assign Responsibilities and Hold Everyone Accountable
Cybersecurity is not any one person’s job – even if you are the only person with “cybersecurity” in your title or job description. It’s in the organization’s best interest to identify responsibilities and accountabilities for various aspects of the cybersecurity program across the entire organization, no matter how large or small it is. Once you identify these responsibilities and accountabilities, it’s equally important that you have an actionable follow-up process to ensure that everyone is performing their respective tasks.
Additionally, it’s easier to hold other individuals accountable when key leaders and decision-makers provide their buy-in on the cybersecurity program. They need to be involved and engaged in the program analysis and development process and hold themselves accountable as well.
5) Measure Program Metrics and Share Results
You’ll find that unlike other areas of IT, it’s often hard to show ROI for the resources you need to implement for a cybersecurity program. It’s not like putting together a business case for buying hardware or software. You’ll have to identify measurements for as many aspects of the program as you can and share that information with stakeholders frequently.
In addition, the types of metrics you share with business leaders should be reframed so they understand that building a cybersecurity program isn’t a cure-all for preventing attacks. Attacks will happen, but the ability to quickly contain those attacks is the measuring stick.
As Alex Blau from Harvard Business Review stated, “Having the wrong mental model about what a cybersecurity program is supposed to do can be the difference between a thwarted attack and a significant breach.”
Given that the average total cost of a data breach clocks in at around $3.92 million, this is something you can’t afford to ignore.
Implementing a cybersecurity program is a challenging process, but if you follow these tips, you can cut down on some of the uncertainty. This can help you when you’re trying to prioritize the policies, procedures and controls that are most critical to your industry and organization.
If you’re struggling with finding the resources in house to develop a strategy or manage the day-to-day complexity of juggling your cloud, network and endpoint security, consider a third-party consulting or managed security services provider (MSSP) that can help you share the burden and ease the load.
Do you need help building or implementing a cybersecurity program? Contact Motorola Solutions to learn more.