The Single Most Important Consideration for any Cybersecurity Plan

How would you describe your organisation’s level of cybersecurity maturity or readiness?

Do you have a cybersecurity strategy? Does your senior management team, or board, have cybersecurity on their agenda?

No matter your organisation size, cybersecurity is neither a “set and forget” proposition, nor a set of products that a company owns.

Cybersecurity is an on-going process that relies on an all-of-organisation approach to create layers of protection. Enterprise IT will remain a key stakeholder, but can no longer be the only cybersecurity policy owner.

To put this into perspective, companies invest millions of dollars in backups and disaster recovery programs because they know the crippling cost of an extended outage or data loss. However, too often these organisations don’t invest the same in cybersecurity despite the real potential of the same catastrophic outcome.

A cybersecurity framework is now an essential tool.

As a result, a cybersecurity framework has become an essential tool for organisations as they come to grips with where they are today, and where they need to be to protect their business.

If you don’t already have a cybersecurity framework, a quick search throws up many options of varying levels of quality, detail, and ease of implementation. The challenge is then finding the right one for your business and applying it.

Cisco have produced their own Cybersecurity Management Framework which is a comprehensive, best practice guide to implementing a cybersecurity management program. Even if your business already has a framework in place, it can be a useful comparison to highlight gaps in your own framework, or simply give you peace of mind about your existing approach.

The comprehensive nature of this framework though may make it difficult for some companies who are just starting out. Honestly, it can look a bit overwhelming for those that are new to cybersecurity, and can some can find it hard to get started.

In our experience, keeping things simpler at first – adopting a more agile approach to developing your own cybersecurity program – will allow you to start small, with achievable results, and then refine your approach over time.

The most important consideration of any cybersecurity program.

With this in mind, at our recent JuiceIT conference, Major General Stephen Day (former head of the federal government’s Australian Cybersecurity Centre in Canberra) delivered a keynote on cybersecurity. During his presentation, Day talked about a radical change that made the biggest impact on their own cybersecurity program, and is equally applicable to any organisation.

This approach is based on changing the way organisations think about cybersecurity – moving away from a set of products owned to by Enterprise IT, to a cultural approach owned by the organisation’s executive management.

In Day’s view, the most important consideration of any cybersecurity program was in the way cybersecurity is explained and communicated throughout an organisation.

After all, the best security products and services in the world still can’t protect your business from staff that click on suspicious emails, use the same password on many different systems, or even worse, continue using weak passwords.

When it comes to communication, the IT team often aren’t the best people to communicate such a technical topic to a non-technical audience. During his keynote, Day went on to explain how he gave up technical positions from his cybersecurity team and replaced them with communications experts to translate this technical topic into plain, understandable language.

Once the messaging was created, his team brought marketing professionals on-board to run awareness campaigns throughout the organisation to ensure everyone understood the role they played, no matter how small, within the organisation’s cybersecurity program.

When we relate this back to the Cisco CMF, in their conclusion they have 10 key success factors for any cybersecurity program and number 10 is exactly this:

Dedicate time and effort to develop consistent, congruent and easily understood documentation that clearly describes the what, why, when, where, how, and who is responsible for every action required by the program.

In the end, people are typically the weakest link in the cybersecurity chain. Set the right culture, educate your people, and everything else will follow.