It turns out that answering this question is harder than it seems at first blush.
But there is no shortage of suggestions:
- Ensure 100% of patch updates on open source software (homage to Equifax)
- Create new board level committee on cyber security (just like compensation or audit)
- Establish a baseline cyber security exposure measure
- Add cyber security responsibilities to your HR processes (job descriptions, on-boarding, training, performance reviews)
- Implement recovery and remediation processes in case of a breach
- Deploy edge security for early detection
A Difficult Question, It Is
For most business executives (and yoda), the answer to this question is becoming increasingly complex.
The constant stream of new cybersecurity technologies and security acronyms (DLP, APT, GRC, EDR, EUBA, etc.) can be mind numbing to "mere mortals."
At the same time, good cybersecurity hygiene is a requirement in our digital connected world. Threats are growing daily - from new IoT devices to employee and business partner exposures.
Last year was terrible for corporate victims of cyberattacks, with many large organizations making headlines over reports of major breaches. Ransomware attacks quadrupled to 4,000 per day from 2015 to 2016, according to the U.S. Department of Justice.
Where Do I Start?
While it's clear that cybersecurity needs to be more mainstream, many executives just don't know where to start.
Unfortunately this means that a high percentage of companies are not even taking the basic steps.
The top 10 external vulnerabilities accounted for nearly 52 percent of all identified external vulnerabilities Thousands of vulnerabilities account for the other 48 percent.
The top 10 internal vulnerabilities accounted for over 78 percent of all internal vulnerabilities during 2015. All 10 internal vulnerabilities are directly related to outdated patch levels on the target systems.
Start With Your Business Risks
Begin with your business goals and objectives.
Risks (not just cyber-related) can then be identified and prioritized based on business impact (revenue, expense, and profitability).
Risks should include events or activities that will prevent you from achieving your goals and/or increase the probability of achieving those same goals.
According to Allianz, the top three business risks are: 1) Business interruption (incl. supply chain disruption and vulnerability); 2) Market developments (volatility, intensified competition/new entrants, M&A, market stagnation, market fluctuation); and 3) Cyber incidents (cyber crime, IT failure, data breaches, etc.).
Identify and Prioritize Your IT and OT Risk
The list of possible IT/OT risks and opportunities are numerous and complex. .
But your list does not need to be perfect. Just start somewhere.
What might be "newsworthy" may or may not actually be important or applicable to your business.
News flashes and sound bites are constantly calling our attention to the latest hacks or threats to our cybersecurity that seem to be filling our social media news feeds and television reporting circuits.
Baseline Your IT/OT Risk
There is no single right way to create such a list nor measure them.
Recently a cyber equivalent of a FICO credit score was proposed.
NIST has also published a framework to capture cybersecurity-related risk.
Focus on establishing a quantitative measure (e.g the likelihood of the occurrence and the potential impact of such event).
Even if such measure is subjective, it will be invaluable in prioritizing.
Given your cybersecurity maturity, the level of preciseness will vary so don't worry about it being perfect to start.
Creating and Implementing a Plan
Your analysis will likely have more than one prioritized action.
Pick just a few -- start small and get some wins under your belt.
Remember cybersecurity is as much as management issue as a technology one.
No matter where you start, it's better than not starting at all.
Your plan can and should always be evolving.
KISS - Your Cybersecurity Priorities & Plan
- Start with a clear understanding of your business objectives.
- Identify potential risks
- Prioritize a limited number of cybersecurity risks based on your IT/OT deployments
- Design, deliver and manage a plan (people, process and technology).
- Wash, rinse and repeat
May the force be with you.