© NicoElNino/Shutterstock.com

Key Points

  • Start your cybersecurity measures with your business first, not with technology in mind.
  • Adopt and adapt strategic frameworks. NIST is a great starting point, but it won’t do you any good if it is never customized to fit your needs.
  • Rollout should be done in phases. You’re not going to get all of your actionable items implemented at once, focus on mission-critical measures first.

How do you turn upper management’s goals into concrete cybersecurity measures?

For all the talk and pageantry, when it comes time to put rubber to the road, you need a plan. While you can certainly align your security team’s planning with your organization’s overall strategic goals, it isn’t quite as straightforward as you might think.

It takes a special individual to navigate upper management when it comes time to put an actionable cybersecurity plan in place. You don’t just need to understand the jargon behind what you’re talking about, but also be able to translate that into something that more closely aligns with what your organization’s leaders are expecting.

So, let’s take a look at how you can develop a solid plan that aligns with strategic vision while being grounded in reality.

The Groundfloor

Wide shot of a technician using a laptop while crouching in the aisle of a server room.

©Juice Flair/Shutterstock.com

Any cybersecurity measures don’t start with your department, but rather the entire business. You aren’t building a generic team meant for remediation, but rather a complete solution to safeguard assets and data. As such, you need to act accordingly and take some exhaustive steps to identify your next few actions.

Asset Inventory

A comprehensive asset inventory is a top priority. This isn’t just a handful of computers and servers, but rather a ranked list that is categorized based on how critical an asset is to your business’s operations. Assets should be classified as mission-critical, essential, and supporting. A prime example of this would be personal payment data from your customers, which is 100% mission-critical.

An example of a supporting asset would be something relatively minor, like a sales associate’s laptop. If it goes down, it isn’t going to directly impact your organization’s revenue, customer trust, or land anyone in legal hot water when it comes to violating compliance regulations.

Threat Modeling

It isn’t enough to just list the threats posed to your organization. When you get down to it, any threat is present when looking at businesses contemplating cybersecurity measures. Instead, you need to take stock of what threats are going to cause the most damage to your organization. Threat modeling should be done based on the context of your organization’s industry. A ransomware attack isn’t likely to threaten a managed service provider’s business model, but it will bring a manufacturing firm to a grinding halt.

In other words, think about the threats and the damage they could cause in a hypothetical scenario.

Risk Quantification

Risk can be somewhat abstract when discussing cybersecurity measures. Frameworks like Factor Analysis of Information Risk help to assess the loss of revenue throughout the year, or Annualized Loss Expectancy. This isn’t just giving a number to the risks posed to your organization, but it also quantifies the impact it has on your bottom line. When the time comes, and it will, your upper brass is going to expect an ROI. Being able to show a greatly reduced ALE is only going to benefit your cybersecurity measures for the future.

Strategic Frameworks

If you’re relatively new to the field, it’s important to note that you don’t just do a framework. Frameworks provide a foundation, and you will inevitably end up modifying them to serve the needs of your organization. As such, when looking at something like NIST, you don’t simply do NIST, but you’re looking at how it applies to your business when following each of the framework’s core functions.

Mapping to Business Objectives

There are five core functions at the heart of the NIST framework, and you’ll want to map these to controls that are going to directly impact your business’s cybersecurity measures. The functions are as follows:

  • Identify: Asset and risk management controls to directly support business continuity by placing priority on mission-critical items.
  • Protect: Access control and data encryption methods to maintain data integrity and confidentiality. This serves to enhance customer trust and your organization’s intellectual property.
  • Detect: Continuous monitoring and anomaly detection protocols can greatly reduce the time and scope of an attack. It allows your team to quickly respond and minimize potential damage, and make sure your digital infrastructure remains intact.
  • Respond: Communicating the current status and damage to stakeholders, external stakeholders, and law enforcement when required.
  • Recover: Restoring functionality and implementing fixes to get business continuity back on track. Recovery is timely, with the intention to reduce the overall impact of an incident.

Control Libraries

The NIST framework is going to have some high-level, somewhat generic recommendations for controls. You don’t have to use these, although they can serve as a great starting point for future cybersecurity measures. Instead, you’ll want to tailor your security controls to fit the needs of your organization. Further, each control will need to have an owner, a target state, and a defined KPI for future success.

Rollout

Focused developer coder wears glasses working on computer looking at programming code data cyber security digital tech reflecting in spectacles developing software program, focus on eye close up view.

©Ground Picture/Shutterstock.com

This is where the rubber meets the road. When starting to build actionable cybersecurity measures, you aren’t going to implement every single plan. Let’s face it, there likely isn’t room in the budget to accommodate everything on your wishlist. Instead, you need to temper your expectations, operating in a phased rollout to make the transitional period as seamless as possible.

Top 10 List

A top 10 list of the most critical items to implement before the end of the quarter is a fantastic means of getting the ball rolling. When translated into plain language, you’ve got the means to justify getting started on your cybersecurity measures. Your top 10 list should be a direct reflection of your risk assessment, with a focus on items that will have the most profound impact on your organization’s operations.

Celebrate Quick Wins

The early days of any cybersecurity measures are going to seem like a whole lot of nothing is happening, at least for your stakeholders. Quickly executing some high-impact, low-cost measures can help to build momentum and demonstrate the value of such decisions to the higher brass. You might consider something like a simulated social engineering attack on employees to show why there needs to be more exhaustive training measures.

Operational Integration

Any cybersecurity measures aren’t simple add-ons or plug-ins to your daily operations, but should be integrated as a natural part of your daily practices. Front-line employees should be aware of the risks present when interacting with suspicious links, and your security team should be training for future incident responses on a regular basis.

Monitoring and Communication

Project Manager and Computer Science Engineer Talking while Using A Digital Tablet Computer. Telecommunications Company System Control and Monitoring Office Room with Working Specialists.

©Gorodenkoff/Shutterstock.com

Any implementation of cybersecurity measures lives and dies based on two criteria: continuous monitoring and clear, effective communication. Failing to do both can see your department floundering, and planned future measures being snuffed out before they get started. Take the time now to establish a clear, transparent feedback loop that links your actions to your organization’s business outcomes.

Metrics and Analytics

It can be tempting to get stuck in the likes of security-focused metrics. These are fine for internal purposes, at least in your department. You’ll want to take a closer look at KPIs that more closely align with your organization’s strategic goals. Instead of focusing on something like vulnerabilities fixed as a KPI, focus on how it impacts your customer-facing servers. Know your audience, which is something that will bear repeating for the next couple of talking points.

Communicating to Higher Brass

It can be hard to justify your cybersecurity measures to upper management, especially when you consider that it is a specialized field. That’s why I’d recommend building a dashboard that is tailored for your upper management personnel. It could include a visual map of your organization’s security posture, the most significant risks and the steps being taken to remediate them, and how you’re providing an ROI by protecting specific business assets or reducing losses.

Regular, Proactive Communication

If you’re talking about a breach as it is happening, then you’ve already failed. Instead, communication should be done regularly. Keep the upper brass aware of your cybersecurity measures’ progress, celebrate successes, and pull in relevant examples that show the importance of security in the workplace.

Other Useful Tools and Concepts

Ready to start your work week right? You might want to take a look at how Agile can help you hone in on customer value. Agile is typically thought of as a software-only methodology, but it can be readily applied to just about every aspect of a business you can imagine.

Additionally, you might want to take a closer look at how Lean and Agile can bolster your cybersecurity operations. With the framework and game plan in place that we’ve covered today, a hybrid approach can only bolster your hardened infrastructure while allowing for rapid, effective remediation.

Conclusion

Taking abstract vision and translating it into actionable measures isn’t for the faint of heart. However, my hope is that you come away from today’s discussion with a concrete idea of your next steps. Cybersecurity isn’t just for the tech-savvy, but for every business. Get your measures in place now, before it’s too late.

About the Author

Liam Frady

Liam was first introduced to Six Sigma when entering into the tech industry. With experience in project management, team leading, network security, and network architecture, he understands just how important the methodology is when applied to any industry. Since leaving the tech sector, Liam has pivoted to putting this experience to good use, writing for businesses and consumers alike.