How to Build a Winning Cybersecurity Program

How to Build a Winning Cybersecurity Program

By: Cliff Neve, COO, MAD Security As a consultant I have had the opportunity to evaluate hundreds of organizations’ cybersecurity programs, which span the gamut from nearly non-existent to robust. The successful programs generally have very similar characteristics, which are addressed in an actionable step-by-step manner below.   Step 1: Gain Executive Buy-In and Assign Responsibility Winning organizations have top-level support from senior leaders that understand the importance of cybersecurity, integrate cybersecurity risks with other business risks, and empower an individual in writing – and in reality – with the authority, responsibility, and resources to manage the cybersecurity program. Every successful cybersecurity program I have seen has a strong champion clearly designated and empowered to lead the program. Unsuccessful programs, on the other hand, typically possess fragmented or unclear lines of authority represented by fiefdoms resulting in destructive power struggles and ad hoc, chaotic behavior.   Step 2: Conduct a Business Impact Analysis and Establish a Data Classification Guide The reason for investing in cybersecurity is to enable the organizational mission and protect organizational assets, so it is imperative to begin with documenting business functions and their requirements for system availability and data protection. For instance, an organization may have high availability system requirements for medical systems, 911 call centers, or bridge controllers where availability trumps confidentiality and integrity. In an HR system, on the other hand, confidentiality might overshadow the need for availability and thus if there was potential compromise, it would likely be a better decision to disconnect access from the network rather than risking data exfiltration. By assessing all requirements for information and information systems in...