Middle market company executives typically agree that it is necessary to better secure their information and tighten up cyber security defenses. However, many are unsure about which approach is best to take. Is it an IT initiative? Could periodic training help? Should there be independent
reviews?
All of the above are applicable, but they need to be assembled into a well thought out process that can serve as a comprehensive information and cyber security program. Instead of spending time and effort on a number of disparate initiatives, you can get the most return on your investment by establishing an integrated set of activities within a cyber and information security program that’s based on proven methodologies.
NIST (National Institute of Standards and Technology) has emerged as the leading cyber security methodology in the industry, and you can leverage NIST’s key elements as the framework to devise an effective program in your organization. NIST recommends a continuous series of efforts broken into distinct phases: assessing risks, remediating weaknesses, ongoing management, and validating defenses.
- Assessing risks is accomplished by conducting periodic risk assessments to identify potential gaps. Risk assessments come in different flavors, ranging from
technical vulnerability scans of various computing devices to detailed reviews of information management and user computing policies and procedures. Risk assessments are an essential first step in identifying weaknesses and developing a remediation roadmap. - Remediation efforts should be planned in a way that best addresses criticality and the availability of resources in the organization. Weaknesses generally fall into several potential categories, ranging from critical to high, medium, and low. Critical weaknesses should be addressed as soon as possible. The others must be built into an ongoing plan based on resource availability and priorities. Weaknesses also range in areas from underlying IT systems to educating users on acceptable information and cyber use practices.
- Managing risks is the ongoing process of monitoring potential threats, reviewing IT and business decisions for their potential cyber and information security risks, and ensuring continuous mechanisms are in place. One of the most effective elements of minimizing risks on an ongoing basis is to provide periodic cyber training to employees, which ensures that a security awareness culture is established and maintained.
- Validating defenses is based on the “trust but verify” concept of ensuring earlier remediation efforts have been effective by testing existing capabilities
and questioning assumptions. Validation efforts can include penetration testing (activities focused on breaking into systems) or cyber game exercises (tabletop
simulations of a cyberbreach). These exercises can help you learn more about potential weaknesses and improve earlier remediation efforts.
Your organization will be able to achieve the most from its information and cyber security efforts by following a proven methodology such as NIST to create an ongoing prevention system that is tightly aligned with IT and business resources and objectives. This framework can also be easily tweaked to address the needs of specialized
industries such as finance, healthcare, or defense, as they all share the same core components. Having an active cyber readiness program in place will reduce the chances of system breaches, and, if an incident does occur, you will be better prepared to respond.
Sassan S. Hejazi can be reached at Email or 215.441.4600.