Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

How to Prep Your Security Strategy for Today’s Cyber Risks

There is no shortage of breaking news on data breaches and vulnerabilities that have very real financial and reputational consequences for enterprises. It seems impossible for business leaders and board members to escape the barrage of forewarning headlines and resulting bombardment of experts who line up to share cybersecurity advice on how to avoid such devastation. 

There is no shortage of breaking news on data breaches and vulnerabilities that have very real financial and reputational consequences for enterprises. It seems impossible for business leaders and board members to escape the barrage of forewarning headlines and resulting bombardment of experts who line up to share cybersecurity advice on how to avoid such devastation. 

Nonetheless, attacks and breaches keep occurring. What’s worse, cybercriminals often target the most obvious or basic vectors and vulnerabilities. Looking at July 2019 alone, there is no shortage of examples: millions of records left visible in exposed Amazon databases, user and staff records from a school district exposed by a software bug and football fans’ financial information stolen by criminal activity. 

Establishing and managing a strong security posture is critical. Enterprises must know where risks are, address everything feasible and constantly monitor for changes. 

The first stage in crafting a successful cybersecurity strategy is to ensure full buy-in across an organization, which is as much about awareness as it is agreement. There will be business and technical implications to establishing or updating security strategy. Cybersecurity needs to be understood across the business so that it is seen as a business enabler and competitive advantage for the company, as opposed to an inhibitor. Leaving key decision makers out risks slowing adoption.

• Top tip: Consider using outside resources to support designing a security strategy. It’s not necessary to outsource the complete project, as that could cause internal resentment. However, a security consultant’s skills and knowledge provide critical expertise and experience, as their familiarity with a range of organizational security needs and challenges can help speed up the project and ensure organization-specific considerations are not overlooked.

Once buy-in is achieved, it may seem like the right time to start the project – but do wait. The next step in defining an organization’s security strategy is actually to take a step back and sit down with area leaders to understand what they do on a daily basis, including which systems are used, where and what data is stored and which third parties and supply chains interact with the business.

Ideally, a full software audit needs to be completed. At minimum, enterprises need to gain a view of exactly what is in use, who uses it and how regularly it’s updated. This will take time and is no small undertaking. But remember that many breaches happen because of basic security missteps, so this stage is very much worth the investment to ensure the right security strategy is designed for an organization.

• Top tip: It is worth keeping in mind that although IT has a list of software in use, it will not be exhaustive. It is very common for departments to have software purchased and managed outside of the IT remit. These tools are known as shadow IT and run under the radar of normal business. To achieve a successful security strategy, these projects must be identified, audited and brought under the remit of the internal IT team.

Advertisement. Scroll to continue reading.

At the point where everyone understands the project implications and it is clear what needs to be protected, updated or retired, the project can begin. There will be changes to how business and processes occur, which means that some employees may grumble and IT teams will likely experience an increase in calls to the support desk. Despite temporary inconveniences, the security strategy management should become a regular and ongoing process with regular audits of software, devices and risks, once complete. Without this ongoing component, all the hard work will lose value. Additionally, should there be a breach, the amount of work required to understand and remediate the incident will increase significantly.

• Top Tip: Consider ongoing user-education, as part of the security strategy. Much of a security strategy depends on employees, so it’s worth creating a security training program to educate users on strong passwords, how to identify fake websites and information on spotting phishing/spear-phishing emails early. 

Creating and maintaining a successful security strategy is not a simple task, but with the right sponsorship and external resources, it does not have to be a negative experience. In fact, with safer access to data and better educated users, the end result should be a stronger business that is ready for success in today’s digital and cloud-based world.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem