At this stage in your efforts toward modernizing your company’s information security program, it’s time to move beyond education and dialogue into more concrete action. By following these seven steps, you can pave the way toward a more secure future for your organization.
1. Hire a CISO who can (and will) create a cybersecurity plan and evaluation process.
Your CEO and CIO are on board, but if your company is like many others today, you may be missing a crucial ingredient: a CISO. A good CISO is challenging to find and retain, but well worth the investment, because the person you choose for the role will be a valuable bridge between your organization’s business and technological interests. Once you’ve found one that fits your company’s needs, consider having your CISO report directly to your CEO, rather than your CIO, to prevent potential conflicts of interest.
2. Keep your Leadership Team involved in cybersecurity risk-management discussions.
As you guide your CEO and CIO during the modernization process, make sure you remain aware of the situation on the ground. Take a leadership role in evaluations of your company’s specific cybersecurity risks and discussions of cybersecurity incident-response plans. The more cognizant you are of current realities, the better you will be able to communicate them accurately to your C-suite and BOD, driving necessary changes.
3. Confirm that cybersecurity risk is addressed in existing risk-management and governance processes.
Whenever possible, keep lines of communication open with risk and compliance officers within your organization. Cybersecurity risk is not the only kind of risk your company must deal with, and cybersecurity compliance is just one of several areas your compliance department handles. Keeping the risk teams involved helps ensure that cybersecurity risk and compliance remain high-priority and receive the resources they need.
4. Raise cybersecurity awareness in your company.
As we’ve covered in this series, breaches are often caused by human error, rather than malicious action taken by an outsider. One critical part of your company's security program must be your organization’s cybersecurity education program. Work with your staff or outside IT consultant(s) on initiatives to educate employees, contractors, partners and even customers on best practices for tasks like password management, identifying suspicious communications, and other possible points of weakness.
5. Immediately adopt data-privacy best practices.
Education and communication are important, but action is even more critical, so find ways to immediately adopt data-privacy best practices within your organization. Consider making changes to corporate password policy, for example, by strengthening password requirements and/or implementing more stringent authentication technologies. Review and revise provisioning policies, privileged account access, and the application of two factor and multi-factor authentication, as well as crack down on shadow IT to further limit vulnerabilities.
6. Plan ahead for a future cybersecurity risk assessment.
Having a clear understanding of your organization’s current security position is key to implementing a better strategy moving forward, so budget for a comprehensive annual cybersecurity risk assessment and consider updating your current risk-assessment report. The threat landscape is constantly evolving and so is your organization’s risk profile. Don’t use outdated information to make decisions for the future.
7. Discuss cybersecurity insurance options with a knowledgeable broker.
Does your company have a cybersecurity insurance policy? Despite the massive breaches of the past few years, many companies do not, which can leave them open to major damages in the event of a cybersecurity incident.
After taking these steps, you should be much further along in your push toward better a strong information security program for your company (and better job security for yourself and your CEO). In our next installment, we’ll discuss the steps to take to make substantial improvements to your company’s cybersecurity culture.