Destination Unknown – Cybersecurity without a defined objective is a path to disaster
Let’s start this cybersecurity discussion by taking a little vacation – or at least pretend to take a vacation. Before going on vacation, people usually plan for the trip ahead of time.
Scenario 1: Planning for a vacation.
When planning a vacation, most people take the following steps:
Determine the budget.
Choose the destination.
Decide when to go on vacation (busy season, hot, cold, vacation days available at work, etc.).
Decide where to stay (choose hotel, condo, Airbnb, etc.).
Choose mode of transportation (plane, car, boat, etc.).
Book flights, rent car, plan your driving route, etc.
Book babysitter, dog sitter, house sitter, etc.
Plan activities while on vacation.
Begin the journey to the destination.
Arrive at the destination.
All the above has a cost element to be considered, which can cause the vacation plans to change. Ideally, a budget would be created at the beginning of the process to help with planning the vacation and determining what is and is not doable. Although, a budget should be the first step in the planning process, people oftentimes choose a desired destination, and then adjust the budget accordingly.
Another important step when planning a vacation, is to do enough research to make informed decisions and properly budget for each part of the plan, especially if traveling to a new destination. People will often turn to friends and/or family for suggestions and input when planning a vacation, but friends and family may not be able to give the best advice. For example, how could they recommend a hotel if they’ve never been to the destination?
Therefore, it’s also important to utilize outside resources for information and contact experts who are able provide information on destinations, price, pros and cons, hotels, activities, etc. The hard part is knowing who to trust. Some “experts” are more concerned with selling certain products or services even if they may not be the best option. So, it’s usually a good idea to gather information from various people and resources before making informed decisions.
If the same logic is applied to businesses when choosing cybersecurity solutions, it reveals a dangerous tendency.
Scenario 2: Choosing and implementing the best solution and level of cybersecurity
When planning for cybersecurity implementation, business leaders should take several steps:
Determine the budget.
Choose the level of security needed for the business.
Analyze each security element to understand what it does and doesn’t do.
Based on the analysis, determine the priority and order for implementing each element.
Determine who will be responsible for assessing the solution options.
Decide when to begin implementing the security solutions.
Decide who will be involved in the implementation process.
Plan the implementation process and any impact to the business (downtime, users, etc.).
Ensure all relevant parties have been informed, then begin implementation.
Implement the solution and test (sometime in phases or using pilot groups).
Complete implementation and make the necessary adjustments.
Conduct a post-review of the project to determine areas for future improvement.
Planning a Vacation vs. Planning Cybersecurity Implementation
While planning a vacation can be challenging, it is exponentially more difficult to plan and implement cybersecurity.
When planning a trip, people usually have some sense of what the budget should be or at least know what they can and cannot spend. Most businesses don’t even have a budget for cybersecurity, so there’s no starting point. In fact, most companies don’t even have an IT budget, so they certainly don’t have a security budget.
While understanding the purpose for each part of a trip, the reason for it, and pros and cons is relatively easy, understanding the different levels of cybersecurity is not easy at all. Due to the technical nature and the complexity of cybersecurity, it’s difficult to educate CEO’s (buyers) on the different levels of cybersecurity. Translating technology and then articulating the risk/value can be extremely challenging.
Also, like the “experts” people may consult when planning a vacation, many “cybersecurity experts” try to sell solutions to businesses that may not be the appropriate solutions and/or security level. In addition, many IT professionals don’t know how to implement or even determine the best security solutions.
Start with Communication
CEO’s and C-level executives:
Cybersecurity is extremely complex, so it’s always wise to consult with multiple experts during the planning and implementation process.
When in doubt, ask: If you need more clarification, ask questions until you understand. Ask your IT resources to use analogies or imagery to help you understand.
Stay as involved as you possibly can before, during and after the implementation process.
If you are an IT professional:
Before drowning the CEO with cybersecurity jargon, find a way to communicate and educate in terms that the management team can understand: Like the “vacation scenario”, try using analogies, imagery, etc. to explain technology.
Don’t be afraid to seek advice from external resources and/or other IT professionals. Technology is complex, and constantly evolving. So, it’s impossible to have all the answers.
Effective and consistent communication is imperative for businesses to appropriately address technology and cybersecurity risks.
The following provides ways to help overcome this challenge in order to effectively plan and implement cybersecurity:
Define, Determine and Decide
As the diagram below illustrates, there are various levels of cybersecurity.
Step 1. Define and understand each level.
Because it includes technical jargon, this diagram may need to be explained in a way that business management and users can understand.
Step 2. Determine what level of security the company currently has.
None, Basic, Advance or Comprehensive
Step 3. Decide on which security level to target during implementation.
Keep in mind that it takes time and money for a company to start from “None” and move directly to “Advanced”. So, when trying to decide on a level, remember 80% of all security incidents are due to employees. When in doubt, start with solutions that will address employee driven risks for prevention – AV, training, email ATP.
Step 4. Implement, monitor and communicate
· Once the desired level is agreed upon, begin implementation and continue to monitor and communicate the current state of risk as the company progresses towards the desired cybersecurity level.
· Using a simple diagram, like the one below, is a helpful tool to use when explaining the progress of implementation to management.
This diagram illustrates an example of an organization that has a “Yellow risk level” while also showing what has been completed and what has not.
Step 5. Update management on an ongoing basis
Once a communication method is in place, it’s important to update management on the cybersecurity status on an ongoing basis. The diagram below is another example of a helpful communication tool to use when explaining the cybersecurity status to management.
Embrace the journey! Effective cybersecurity management never ends. Therefore, if security solutions and levels are not proactively monitored, the risk level can move from Yellow to Green and then back down to Red. Firewall failure, equipment beyond end-of-life, anti-virus expiration, etc. can cause immediate changes in risk levels.
Cybersecurity is about continuously mitigating risk and keeping businesses from going out of business. But, in order to successfully mitigate risk, a disconnect between management and IT cannot exist. The IT industry continues to struggle with effective communication – especially when it comes to cybersecurity. Because of this, over 58% of all cyberattacks target small to mid-sized businesses and over 60% of businesses that are hit with a cyberattack go out of business.
Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. It’s time for the technology industry to stop the insanity of ineffective and/or complete lack of communication with business owners and executives about cybersecurity. It’s important to take a step back to understand the ‘why’ then work on the ‘what’. Create a communication method that works for the business, then begin focus on the ‘how’ and ‘when’ to take the appropriate action.