A question I get asked a lot by CSOs/CISOs & IT Managers is “Lee, what should we be doing for Cyber Security next?”
Getting asked this question is both a blessing and a curse, it fills me with excitement and trepidation.
Why I am getting asked this question gives indication of the best way to answer.
Is it due to a data breach to the business or a competitor? Perhaps someone starting a new role and looking to stamp their authority? Or maybe the board demanding to know the current state of play, comply with mandatory regulations etc..? Or is it good old looking to gain competitive advantage and to set out a long-term strategy?
Depending on the reason can make a big difference to the next steps. For me, the best reasons would be being driven by the actual needs of the organisation and looking to set out a long-term strategy. This often leads to proper buy in from all the senior stakeholder, including the board, and offers the best chance at putting together a security programme offering a high level of assurance and ROI.
Now, where to actually begin. This cannot be answered without knowing the starting position and the desired end state. If we have the driving force this often steers the end state.
For me it is good to know a few key starting points:
Is the business required to meet any sector specific regulatory or compliance requirements e.g. PCI-DSS, FCA, PRA? This will often be the quickest win to get buy in from the board and get budgets approved.
Does the business currently hold any security related certifications or work to any standards such as ISO27001, Cyber Essentials, Ten Steps to Cyber Security (TSCS) etc?
Is there an understanding of what data, services and equipment are being utilised by the business?
When was the last time any form of security assessment/testing took place?
What is the current level of security awareness within the business?
Are there any points of current concern?
What budget is available for the current project?
Knowledge of these can give an indication of the starting point and help to formulate a strategy and identify some quick wins.
If there are no immediate regulatory or compliance drivers, and budgets are a concern, then I suggest looking at the Cyber Essentials scheme as a starting point for getting on the path to doing the right thing, security-wise. I would recommend utilising the services of a CREST Certifying Body when going for this. Achieving certification via a CREST Certification Body requires technical verification via a vulnerability scan and validation of the internet facing security controls as well as completion of a Self-Assessment Questionnaire (SAQ). And, unlike others, is the only certification that is worth the paper it is written on (trust me, I’ve seen enough fudged SAQs to make Willy Wonka jealous!) This standard gives a solid baseline of cyber security, and when achieved, the business attains a certification which could lead to better assurance of security to the organisation’s supply chain, for relatively little effort. Additionally, it is possible to map the requirements to more holistic and encompassing standards such as TSCS and ISO 27001, assisting in producing a foundational road map, improving ROI further.
To me, in an ideal world having a Business Impact Assessment and Gap Analysis against ISO 27001 producing a Risk Assessment report and realistic road map would be the best place to start. This standard takes information security to a whole new level, and takes in security across the entire organisation, people, processes and technology. This will assist in obtaining a greater understanding of critical assets, realistic risks, and industry best practice to address issues. This is however more intensive and requires effort from every department organisation, but it does offer fantastic value for money, if utilised and executed correctly with the full buy in of budget holders moving forward.
It is possible to test, assess and spend money until the cows come home when looking at cyber security. The main focus should be on getting the best bang for your buck, dealing with urgent risks, and understanding where you want to get to. Make sure you are making realistic targets, don’t go spending silly money if you don’t need to. Look at what is essential to the business for operating and what is achievable with current resources. Security can be an enabler for a company, it can open business opportunities as it is easy to prove to potential partners and clients that they can place their business with you in a secure way.
If you would like to discuss anything further, please get in touch.