We are continuing our cyber strategy leadership series and discussing how to get the right team to implement your cyber security strategy. If you have missed the first article where we introduced the concept, check it here.
As mentioned in the previous article about the core elements, hiring the right people for the job is essential to a successful cyber strategy. Often businesses will not have the need or capacity to employ full-time employees into these roles. An option for consideration is the onboarding of a trusted managed services provider who can provide a business with a pool of talent and expertise to use as and when they are needed. These MSPs can integrate into existing business processes and, supported by a strong leadership team, provide all the benefits of a cyber security team without the need for expensive or unnecessary resource spending.
A good governance structure will seek to build non-siloed horizontal teams to implement adequate controls and manage risk. These teams are vital for establishing roles and responsibilities which link individuals to risks and creates subject matter experts across the business, helping to integrate cyber security into all areas of the organization. A collaborative working method builds trust and co-operation and is vital to the success of a cyber security strategy.
Low hanging fruit
Before commencing a full governance program, organizations should consider which low hanging cyber fruit to address any immediate issues. A Maturity assessment will identify and process and procedure issues that organizations can address internally. Carry out vulnerability scanning, and pen testing can identify technical issues that IT departments can address. A common problem may be ensuring applications are patched to the latest version, increasing email filtering, and updating firewall rules sets. A business may be able to identify vulnerable, out of date technology that can be replaced to improve infrastructure security.
Asset Management, Policies, Processes and Procedures
Alongside risk management and an appropriate compliance framework, a vital component of a good governance structure is asset management. A business needs to know what devices and technology it manages and where its data and information is stored to be able to control risk effectively. One of the core functions of a cyber security department or team will be the coordination of this activity.
Once organizational assets have been identified, a cyber security strategy can start to determine how these assets are used. To ensure that this new culture of cyber security is disseminated throughout an organization, the business must effectively communicate this through its core cyber security policies and the necessary processes and procedures.
Policies advise employees, contractors, third parties, and suppliers on the type of behaviors the company expects and the types of technological solutions and restrictions, which will be put in place. Policy creation helps an organization to establish its position toward cyber security controls, enshrines roles and responsibilities, and communicates the strategy and adopted framework.
There are a variety of policies that an organization can put in place. Still, some to consider would be an Incident Management policy that defines what an incident is, how it must be reported, and the repercussion for non-policy compliance. A cyber strategy may also consider an acceptable use policy that communicates the acceptable use of company assets, how they can or cannot be used, and the individual user's responsibility for the use of company assets.
People are a crucial factor for any organization seeking to improve its cyber security posture or roll out a cyber security program. Organizations must implement a top-down strategy; Management must be engaged, and they must take this seriously, cyber security should not just be an exercise to put a veneer of cyber on for an audit requirement. A strong people strategy requires the assignment of appropriate resources and investment to succeed.
An excellent people strategy will have a focus on the provision of knowledge and changing behaviors. Changing the cyber-culture of an organization presents a considerable challenge. People must work in new ways and potentially use modern technology, which may at first appear to be a barrier to business as usual activities.
CISO must carve a balance between innovation and protection, and this requires excellent communication, the right people, the right strategy, and a well-informed workforce who are engaged and motivated to participate. CISO and cyber leadership should clearly articulate to their colleague that their role is to facilitate business and keep the environment safer. All too often, cyber security is incorrectly identified as a blocker to growth, and a successful cyber strategy begins with winning the hearts and minds of people. A successful CISO should also consider assigning a portion of its operational budget to other departments who may need to make changes to comply with new requirements, easing the burden on departmental CAPEX and OPEX.
People also present a threat vector for any organization, especially social engineering, and email compromise. Good hygiene practice must be put in place to combat this. The organization must have in place an effective training program and communication campaign. This must be an ongoing campaign, not just something which is run at project inception and never touched again. Any training must adapt and change to new threats and be reflective of the organization's technology and working practices.
Educating individuals on social engineering techniques and how to spot them, including phishing campaigns, are at the front line of cyber threat prevention. Alongside this, as mentioned above, employees must know what incidents to report, how to report them, and what to do in the event of an incident.
An excellent people cyber security strategy also encompasses aspects of control of the physical environment. Employees need to be empowered to be able to challenge any worrying behaviors within their working environment, addressing the issue of insider threats. Employees should be able to, without prejudice, challenge individuals within their environment, whether that be tail gaiting, not wearing ID badges, or just seeing someone acting in a way that is contrary to the normal processes of the organization.
A cyber strategy that will focus on providing knowledge and changing the behaviors of a workforce. Investment in training ad awareness and investment in individuals who are talented and fit for the job is crucial to the success of any business strategy change.
CISO will have to consider a program that uplifts or retrains an existing workforce, providing them with the necessary skills and confidence. Any transformation program or strategy will also require investment in new skills and new employees who have the qualification needed to operate new tools, applications, or processes. Running lunchtime workshops and cyber awareness campaigns help to inform employees and builds confidence in a new cyber strategy. It also helps the cyber security team to connect with individuals and build the relationships needed for a successful strategy.
In the next article of this series we will discuss other essential elements to the cyber strategy: technology and supply chain. If your company wants to take its the cyber security strategy to the next level, get in touch with us and our team will guide you through this process.