How can you create an effective cybersecurity strategy? There are many templates and plans out there that organisations can consume, but the best place to start is by first considering what the organisation values the most and therefore needs to protect the most.
For any security programme to be effective in addressing threats, organisations must understand how, where and what data, personnel or systems are most vulnerable and most valuable. What are the key risks the business faces? While security plans are a great way to check whether you’re on track, each organisation is different and emerging and evolving attacks may present risks that would impact it differently. In the same vein, a good security programme is tailored and customised to the organisation’s specific needs.
In creating an optimised security programme, consider the following questions:
- What are the organisation’s high, medium and low-risk assets?
- What are the organisation’s high, medium and low-value assets?
- What is the organisation’s level of exposure, or in other words, what is the threat surface that a malicious attacker can exploit?
- Are there any existing information security policies for these assets, and are they updated frequently to keep on top of new threats?
- Are there baseline security controls in place, such as strong authentication, vulnerability detection and timely patching?
- Is critical business infrastructure continuously monitored for attacks and new threats?
- What kind of data needs to be secured, by whom, how, and with whom is this data shared?
- Is the organisation compliant with security standards and regulations?
These questions may help you get started in building a cybersecurity strategy. Be sure to address strategic, operational and tactical objectives in a security programme. The programme itself must evolve to meet new threats, so it is good to revisit and revise the plan. Consider bringing in Managed Security Services Providers (MSSPs) to share some of the efforts.
Companies such as Sygnia help teams formulate a cybersecurity strategy or plan which is specific to achieving business objectives with cybersecurity controls in the right context.