Get cracking on your cybersecurity strategic plan.
Welcome to Cyber Security Today. It’s Friday, December 29th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
This is my last podcast for 2023. I’m sure this being the last regular workday of the year another report of a data breach isn’t on your mind. So I want to take a few minutes to encourage cybersecurity managers to set some time aside during the long weekend — or even next week when the pace of things will hopefully be slow — to think about your organization’s formal cybersecurity strategy. Not just your patching policy or your plan to refresh software and hardware, but the overall strategy.
Working piecemeal on cybersecurity won’t make your firm better able to withstand attacks.
If you already have a strategic cybersecurity plan, it probably needs the annual honing. So for this episode I want to focus on those of you that don’t have a formal plan.
This isn’t a matter of outlining a few points on a piece of paper by yourself. Or after a meeting with the security or IT team. You can’t create a strategic plan without knowing what cyber risks the business is willing to accept. So to start, plan on scheduling a meeting with your organization’s leaders. Learn what the organization needs, and then their IT needs. And then ask management what level of risk it’s willing to accept for operations. Management also has to set corporate security policies, such as the acceptable use of company-owned devices and who on staff needs extra security login protection such as multifactor authentication.
From there the broad strokes of the plan can be outlined. Is one day of downtime acceptable? Are a couple of hours acceptable? Is only five minutes of downtime acceptable? Remember there will be different performance demands for different applications. Once you understand the business risks, you can delve into the IT side: Inventory the organization’s hardware and software and then do a risk assessment of each component. Design security controls — or get replacement technology — to blunt the vulnerabilities. The strategic plan has to include the corporate security policies set by management, identity and access control management, data management, a backup and recovery plan and a plan for security awareness training.
It also has to include an incident response plan. Some outlines for creating cybersecurity strategies leave this to the last. I think it should be first: After all, 30 seconds after hearing (or reading) this podcast you may be warned your organization is under attack. A good incident response plan starts with choosing who will be on the IR team, creating a contact list and building a response playbook to deal with eventualities your organization will likely face.
Finally, the cybersecurity strategic plan has to be approved by management — and reviewed annually.
I’ve shortened the process — hey, the long weekend is beckoning. But there are lots of articles online that go into greater detail. One of your IT providers may have resources. I relied in part on the book Security Battleground, An Executive Field Manual by Intel Press.
Finally, I want to thank audio producers Don Naylor, James Roy and Miadori Nagai for making me sound good, ITWorldCanada.com editor Lynn Greiner for catching mistakes I make in my copy before news stories are posted on our website, and publisher Jim Love for his support..
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. My next podcast will be Wednesday, January 3rd. Between now and then I’ll post breaking news at ITWorldCanada.com.