Updated: Feb 11, 2020
Here we are, towards the end of the first month of the New Year 2020, with fresh perspectives and new goals. Was part of this setting up (or revisiting) your Cyber Security Strategy to protect your assets, reputation, intellectual property (IP), staff and customers?
When you read about how to define your cyber security strategy there are many different detailed ways of How To; which puts people off on starting. If you already have a Cyber Security Strategy did you revisit it to check for tweaks?
Here are four key areas to focus on to see where you are and set some goals. Start simple and move forward from there.
1. Take Stock of What You Have
Take stock of what you have, prioritize available resources to include your security budget. There’s this tendency to over-invest in security technologies, particularly, whenever it is “thee” shiniest solution at the time. Often this is never fully implemented or operationalized; check. Is there a possibility to get more value out of what your security program offers now without spending a lot more money?
2. Back Burn Your Environment
Back burning, or ‘hazard reduction burns’ as they’re sometimes now called, is a concept that is particularly relevant in forest fires. Fire management which involves starting small fires in an intentional way, to reduce the amount of fuel that's available to the real uncontrolled events. [But you already knew what back burn is.]
The parallel here is about ‘back burning’ your data environment. Organizations keep massive amounts of data that they don’t need. Many times, the data doesn’t have an owner, is out of date, or stored in antiquated systems. All of this presents a significant exposure to data breaches. By “back burning” your environment, you’ll look at what you have in place; is it required by legal or regulatory requirements to keep; and from this a determination can be made to get rid of the data that is basically presenting an exposure without any real benefit to you. You can reduce the ‘hazard’ of data being breached, simply by no longer holding that data.
3. Re-focus on What’s Important
Security is a massive field. Once an organization goes through the above exercise, the next logical question is, “Of what’s left, what is more important to secure?” If you have limited resources, make sure you’re applying those limited resources on the areas that matter the most. An easy way to get started is to make a list of everything within your business that you think is worth protecting. Things you might include are your hardware, software and applications. Note down the make, model and serial number of all equipment you have, including mobile devices. Also include things that are outside of your business but are essential, such as cloud applications and devices.
4. Have a Clear Vision of Gaps and Risks
Identify your threats and vulnerabilities. This includes people; people are often the weakest link in security. Define the risk and what is acceptable. Outline the objectives to be developed for the security activities to be followed.
How to get there:
Marilyn Sousa, CISA, CISM
Senior Cyber Security Engineer