With the record number of cyberattacks making national news, cybersecurity is top-of-mind for many business executives—but an effective cybersecurity strategy involves more than just awareness of possible threats. It’s important that your organization is prepared for the inevitability of facing cyberthreats.
Sun Tzu had a saying that goes something like this: “The person who wins the battle makes many calculations before the battle is fought. The person who loses makes but few calculations beforehand.” As you build your cybersecurity strategy, focus not only on being aware of threats that can affect your business continuity, but also on being ready to take action when an incident occurs—because in today’s business world, it’s not a question of if you might incur an incident, but rather when it occurs, what steps will you take to mitigate the loss as much as possible? Have you considered regulations and compliance measures to mitigate the loss of business revenue, reputation, and survival?
When you fail to plan, plan to fail.
Tip #1: Establish an Enterprise Risk Management Methodology
Establishing an Enterprise Risk Management structure throughout your company—starting with executive buy-in—will allow for a successful deployment. The COVID pandemic has reaffirmed the case for an efficient risk methodology that protects company assets, processes, response programs, and overall assets and goals. Enterprise Risk Management allows your team members to understand proactive measures that are required company-wide.
Ensuring that your security program is consistent with your overall business strategy is key. The Committee of Sponsoring Organizations (COSO) recommends eight steps for creating a successful plan:
- The internal environment establishes the tone of the organization, influencing risk appetite, attitudes towards risk management, and company values
- Objective setting, including all business units and their priorities
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
- Monitoring of both safeguards and critical assets
Tip #2: Adopt a Framework Suitable for Your Business
It’s imperative that you adopt a framework that works for your company based on your mission, goals, and overall industry. Ensure that compliance measures are mapped to a framework that will elevate your security and data privacy. Understanding your company and its industry requirements, responsibilities, and accountabilities will allow for a succinct security strategy.
For example, the healthcare industry is subject to HIPAA requirements—including security, privacy, and notification—that must be shown to be part of the strategy. As compliance does not equal security or privacy, a proper framework mapping to regulations is recommended. These could include the NIST-CSF or 800-053, ISO 27001, and CIS-18 or COBIT frameworks that map very well to your specific requirements.
As compliance allows for regulatory requirements, we also need to focus on asset protection and information privacy. Critical asset protection and information handling are 80% of proper security hygiene. Do you have the right framework in place to provide data handling measures? The collection, transmission, storage, and disposal of critical customer/patient data also needs to be documented properly to ensure a successful audit engagement.