When you first start out on the journey of creating a cybersecurity program, it can be a bit intimidating, confusing, or even difficult to know where you should start. If you were recently anointed the cybersecurity tsar in your company or you inherited something resembling a program from your predecessor, there may be competing drivers and demands that eat up all your time. Therefore, if you don’t have a clear plan and solid approach, it may be worthwhile to consider what we know is a proven approach to getting a cybersecurity program off to a good start.
One of the first challenges we frequently encounter in a young or newly minted cybersecurity program is to know what is the most important; what do you focus on first; what tools do you need to have so on and so forth. While this may seem daunting, it actually isn’t. The order in which a company should consider implementing cybersecurity countermeasures will depend on a number of factors, such as the specific risks and vulnerabilities facing the company, the resources, and capabilities available to the company, and the company’s overall security strategy. However, there are some general principles that can guide the implementation of cybersecurity countermeasures, from the first to the last.
1. Risk assessment. The first step in implementing cybersecurity countermeasures is to identify and assess the potential risks and vulnerabilities facing the company. This can involve conducting internal and external assessments, as well as analyzing the company’s current security posture. Conducting a risk assessment is a systematic approach that relies less on subjectivity and knowledge to inform you of what your priorities need to be. It also provides a basis to refer back to when someone asks why you have chosen to do this or buy that solution.
2. Security policy and strategy. Once the risks and vulnerabilities have been identified, the next step is to develop a comprehensive security policy and strategy that outlines the overall approach to cybersecurity and the specific measures that will be implemented. Most companies have to operate within some level of regulation whether it is data privacy and breach notification (all states have some form of this) or more specific requirements we see in healthcare, the financial industry, retail (credit cards) or energy and transportation. Regardless, having policies that spell out the company’s position on specific matters relating to security alongside regulatory requirements is the cornerstone of any cybersecurity program.
3. Employee training and awareness. A key aspect of cybersecurity is ensuring that employees are aware of the risks and their role in protecting the company’s information and systems. Providing regular training and awareness programs can help educate employees about cybersecurity best practices and encourage them to be vigilant in protecting the company’s assets. We make an assumption here that all organizations have implemented some type of firewall and antivirus on their computer end points. If you don’t have that yet, do that immediately. But after that, the human risk factor is likely the one you should focus on next. This is because we know that most breaches and ransomware attacks target people that will courteously let them bypass many security controls. It is also the most reasonable and effective and improving the company’s cybersecurity posture. At least up to a point. We can typically not improve it beyond a certain point of diminishing returns.
4. Technical controls. That’s when we really need to turn to technology: After the security policy and strategy have been developed and employees have been trained, the next step is to implement technical controls to protect the company’s information and systems. This can involve implementing End Point Detection and Response (EDR, XDR, MDR…, etc.), Security Information and Event Monitoring (SIEM), and various AI/ML based prevention systems, encryption, and other security technologies. At this stage, it is really important to have risk information at your fingertips that help guide you to invest in the right technologies. Most likely you don’t have unlimited funds and regardless of what the salesperson tells you about how great their solution is at something, only you really know what is most important to your organization (that is if you did the risk assessment).
5. Monitoring and response. Once the technical controls have been implemented, it is important to continuously monitor the company’s information and systems for signs of security breaches or other threats. This can involve using security information and event management (SIEM) systems to collect and analyze security data, as well as developing and implementing a response plan to address any security incidents that may arise. While it’s often said and sounds like a well-used cliché it is still true: Cybersecurity is a process, it’s a cycle and it doesn’t ever end. Monitoring, responding, and learning from those will be critical to improving the security posture of the organization. While we won’t go into it in detail in this article, the program will eventually need an effective security strategy. A plan if you will that is tailored to the specific needs and risks of the organization and is regularly reviewed and updated to ensure its effectiveness. Follow us for a future article on how to create a strong and effective cybersecurity strategy.
In summary, the order in which a company implements cybersecurity countermeasures will depend on its specific needs and circumstances of your company, your resources and even the industry you are in. However, following a structured, risk-based approach, such as the one outlined above, can help ensure that the company’s cybersecurity efforts are effective and comprehensive.
Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity strategy and solutions company. He is widely considered an expert in the field and is available for speaking engagements.