With the constant barrage of headlines regarding breaches in the last few years, it seems that society in general has become numb to losing personal data. This year’s overarching cybersecurity theme is clear: We’re all in this together because we simply can’t do it alone. Effective defense demands a team effort where employees, enterprises, and end users alike recognize their shared role in reducing cybersecurity risks.
To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis. Here are tips for improving your cyber risk management this year.
Tip #1: Balance risk versus reward.
The key is to balance risks against rewards by making informed risk management decisions that are aligned with your organization’s objectives — including your business objectives. This process requires you to:
- Assign risk management responsibilities;
- Establish your organization’s risk appetite and tolerance;
- Adopt a standard methodology for assessing risk and responding to risk levels; and
- Monitor risk on an ongoing basis.
Tip #2: Use your investments wisely.
When determining the best strategy for future cyber investments, it’s vital that you review your organization’s current security posture and existing security controls, including technology, people and processes. Before making new investments, perform an architectural and program review to understand how the existing controls can be utilized to address your identified risks. There are almost always ways to optimize, reduce cost, or minimize upcoming investments.
Tip # 3: Be nimble; make sure your strategy can quickly adapt.
Business is not static and neither are the solutions that enable and protect it. To grow, compete, and own its place in the market, a business must adopt new models and technologies to stay relevant and competitive. As the business evolves, so too must the operations and security solutions that protect it. Today, a cybersecurity strategy needs to be nimble to match the pace and dynamic modeling of the business it is protecting.
Tip #4: Don’t lose sight of the data — are you asking the right questions?
Before analyzing your security controls, take a step back to understand what data is needed to support the business, who that data must be shared with, and where that data is stored. Look at your operations, the flow of data into, throughout, and outside of your organization, and the risks associated with your business model. This will give you an understanding of the exposures that the data faces, enabling you to address and prioritize security measures. The three questions most organizations should be asking are:
- How secure are we?
- Are we going to be secure based on our current and future business plans?
- Are we investing the right amount of time and resources to minimize risk and ensure security — especially people, technology and process?
Tip # 5: Re-imagine your security approach; don’t go looking for the silver bullet.
The cybersecurity market is flooded with solutions, leaving many organizations struggling to select the right protection for their business and get the best value from their investments. Most cybersecurity solutions, however, are point solutions, which don’t adequately address today’s threats.
Tip # 6: Make security awareness stick.
More than 90 percent of security breaches involve human error. These acts are not always malicious, but often careless and preventable. To change security behavior effectively, employees must know what to do, care enough to improve, and then do what’s right when it matters. An effective security awareness program can help change organizational behavior and lower risk. Look for best practices for implementing a successful security awareness training program to change employee behavior and help make your organization more secure. Consider the answers to the following questions.:
- Does the program assess your users’ ability to spot real-world phishing attacks?
- How is the training delivered to help employees identify phishing and other social engineering tactics?
- Is there flexibility for planning, scheduling, and running the program?
Tip #7: Think beyond compliance.
Achieving Compliance is not the ultimate goal, it is about sustaining compliance. Security and Compliance are not equal. Compliance management is not a project that you start and finish, but rather an ongoing program that needs to be continuously maintained. To make the journey easier, follow an integrated compliance and risk management framework that addresses security, privacy, risk, and compliance, such as the National Institute of Standards of Technology (NIST) framework. This ensures a more manageable program and allows you to report compliance posture more efficiently.