Cybersecurity has traditionally been the realm of the IT department. But those in IT have long championed the fact that keeping a company cyber secure is really everyone’s job. And they are right. Anyone with their guard down within an organization can potentially click a malicious link and let the bad guys into the network. Additionally, the C-Suite has a big role to play in creating a security-conscious culture.
Management and board members are now much more aware than even a few years ago about the potential costs of a cyber breach or other cyber incident to the organization. A recent whitepaper from SecureWorks outlines eleven steps that upper level management should take in handling cybersecurity issues.
Steps upper management needs to take for effective cybersecurity:
- Define the top business risks — The first thing you must do as a company is determine exactly where your risks lie. What data are you protecting? Who will your clients lose if their data is stolen or breached? Look at potential outside risks from companies that you partner with.
- Benchmark current status — Define your current status on cybersecurity. You should base this on two factors: (1) industry standards and practices and (2) your known vulnerabilities.
- Define a desired future state — Now that you know what is at risk and where your company currently stands, it’s time to create a roadmap to where you want to go. At this point you set your goals and make create a reasonable timeline for each. It’s necessary to work with IT and other departments to understand when these goals can realistically be met.
- Monitor risk levels — Next, you need to rank your risk levels as low, medium, and high. If one of your areas is a high-level risk, you need to put a temporary stop-gap into place until you can more fully address the situation.
- Know the operational strategy — Standard practices today for the industry call for a four-part operational strategy: (1) Prevent what you can; (2) Detect any attacks you can’t prevent; (3) Respond quickly to any attacks; and (4) Predict where the next attacks may come from.
- Monitor governance and compliance — Determine what the industry standards are for cybersecurity in your field as it comes to training and compliance. Once you’ve researched these, you need to make sure you’re in compliance with these standards. Keep in mind — as the field evolves, those standards will evolve as well.
- Test and improve response-readiness — Just like businesses may conduct fire or emergency drills in their building, you need to run response-readiness drills of your cybersecurity. If there are breaks in the security network during these drills, address these for future improvement. Then retest and repeat as often as necessary.
- Know if staffing and leadership are adequate — Besides investing in technology for security, you also need to invest in human resources such as security staff and leadership. This includes investing in continual training for these individuals.
- Make strategic investments — Look closely at your budget to see if there are areas that can be cut back to help reinvest money for security purposes.
- Set a tone at the top — Management all the way up to the board needs to practice good cybersecurity protocols themselves. You need to set the tone for how you want the rest of your employees to conduct themselves.
- Test assumptions regularly — Finally, you need to test your system regularly including having a third party come in to help. As you determine weaknesses, you should adjust your practices to fix these areas.