Organizations of all sizes and across every industry implement cybersecurity programs to protect the assets that, if compromised, could pose a detriment to a company’s customers, reputation, and future. Theft of valuable corporate data is a lucrative business for cybercriminals. Although cybercrime is nothing new, hackers are constantly getting smarter, more creative, and better at breaching an ever-increasing amount of valuable corporate data. To minimize the risk of these threats, more organizations are increasing their cybersecurity programs to protect the confidentiality, integrity, and availability of their digital assets. The primary motives for why a company builds a cybersecurity program will vary from business to business, but they often align with drivers from the CIA cybersecurity triad including:
Many businesses are required to maintain a cybersecurity program because of regulatory mandates, so any company may have the burden of meeting one or more regulations, including:
The examples above represent just a small fraction of the vast number of cybersecurity-related regulations that can impact businesses. A common objective across most every regulation is to reduce the risk of a data breach through a well-orchestrated and effective cybersecurity program.
Cybersecurity professionals recommend that everyone across a business play a role in protecting corporate data. These requirements include corporate boards and executives defining cybersecurity strategy and priorities, management teams achieving corporate cybersecurity objectives, and staff implementing and following defined cybersecurity policies and procedures. Security professionals have also recommended that cybersecurity programs utilize both inside and outside auditors. Auditing ensures that the business periodically reviews the effectiveness of its security program. Finally, cybersecurity programs should extend beyond the corporate IT boundary to include cybersecurity oversight for any external company or service provider (e.g., MSP, SaaS/IaaS/PaaS cloud providers, etc.) that processes sensitive corporate data.
Determining what systems need protection is an essential component of any cybersecurity program. Organizations must continuously evaluate the potential risk of system compromise across all networked systems. Not all systems and data are created equal, so it is imperative to introduce a well-defined risk assessment process that aligns cyber protection priorities with the business value of the data that is processed by your company’s systems. In many cases, organizations are forced to protect specific systems because of contractual obligations or regulatory mandates. For example, PCI-DSS requires a broad range of cybersecurity controls for “all entities that store, process or transmit cardholder data.” Similarly, HIPAA requires “appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).”
This kind of effort can seem daunting; it requires an accurate accounting of every system, the applications that reside on each system, the information maintained or processed on each system, and the risk of information compromise. Organizations must assess the potential expenses they would incur in the event of a harmful incident, including:
Organizations must have a strong, well-executed risk assessment process for all networked systems so that prioritized security measures can be defined and implemented effectively.
Organizations must determine for themselves when they should implement a cybersecurity program. Any organization with contractual or legal cybersecurity obligations should already have a program in place. The size and type of a company have a strong influence on the breadth and depth of the cybersecurity program it should implement. The risk from data compromise also has a strong influence on the need for a cybersecurity program. The worst thing any company, whether large or small, can do is ignore their cyber risks. Smaller companies that may have a smaller risk should still develop and implement an appropriate cybersecurity program. In many cases, smaller companies can have the same regulatory or contractual burden to have a security program as larger companies. In fact, many smaller companies that have contracts with larger companies are now obligated to have a proper cybersecurity program in place.
Organizations of all sizes are beginning to require their service providers to certify their security program through the SOC 2 assurance program formed under the AICPA Trust Services Principles and Criteria. Regardless of company size, organizations are beginning to recognize that the cybersecurity concerns of customers and partners can become a barrier to sales. Organizations must prevent this and ask the fundamental question of “what is the potential impact of a breach to our system or the systems of our service providers?” For many companies, the impact of a breach can be catastrophic and include significant fines, operational downtime, recovery expenses, and more, so it is absolutely crucial that every business consider the gravity of such an event before building their security program.
Cybersecurity risk should be prioritized holistically and in conjunction with a broader enterprise risk management (ERM) program. Program priorities will vary from company to company based on individual corporate requirements. For example, risk priorities for a manufacturing company will be considerably different than those of a retail business. Organizations that are serious about reducing enterprise risk should implement a risk management framework, like COSO or NIST SP 800-37, to manage the process of uncovering, prioritizing, and addressing risk. Use of a risk management framework provides a disciplined risk management process for each system including:
Many information security professionals agree that an effective information security program must be built using a broad range of people, processes, and technology. This concept is a foundation of ISO 27001: an information security standardized framework adopted by many organizations. Further industry guidance dictates that security programs should be built using multiple lines of cyber defense across the entire organization, as recommended by organizations like ISACA. ISACA recommends building the following three lines of cyber defense:
Over the last few years, cyber insurance has emerged as a recommended last line of defense for some businesses.
These lines of defense must meet the industry or government regulatory requirements that businesses must adhere to.
Everyone in an organization is a stakeholder in cybersecurity. Also, an effective cybersecurity program requires the use of a broad range of knowledgeable cybersecurity professionals. Unfortunately, there is a worldwide shortage of such professionals. Many organizations utilize outsourced cybersecurity and compliance services to address this skills gap. A snapshot of the people that should or may be involved in a cybersecurity program include:
Every organization must determine what cybersecurity processes are appropriate for its business. In some industries, the processes that an organization must implement are guided by industry or federal regulations. Multiple process options are available to organizations from public cybersecurity resources including:
Organizations that are serious about cybersecurity will have written policies that can be continually reviewed and improved as the cybersecurity needs of the organization change over time.
An organization must determine the security controls that are most appropriate for its business and in alignment with any specific regulatory burdens. Although the universe of potential security controls is significant, guidance from the Center for Internet Security Critical Security Controls for Effective Cyber Defense provides a set of recommended and prioritized cybersecurity controls. CIS recommends that any company that is concerned about cybersecurity should at least address their top six control areas including the:
Every security-conscious company should not overlook the importance of security awareness training across the organization. Research from Price Waterhouse Cooper has shown that companies with cybersecurity programs have lower losses from a breach than companies that do not have a training program. The types of training programs an organization should consider includes:
Finally, every security program should consider specific testing programs to minimize risk wherever and whenever possible, including:
Any business that has concerns over potential risks to the confidentiality, integrity, and availability of its data should implement a cybersecurity program. There is a lot of industry and regulatory guidance regarding what businesses must include in a security program. Industry professionals agree that an effective cybersecurity program requires an organization’s executive team to set program priorities and objectives that give everyone in the business a defined role. There are many important considerations when building a security program, including determining what systems should be protected by the security program, what internal and external resources engage in protecting systems, what technical controls should be in place, and how to audit the program in order to best optimize its effectiveness. Organizations should employ highly qualified cybersecurity professionals whether they are on staff or provided by a third-party. Finally, organizations should manage cyber risks as part of a broader enterprise risk management objective in such a way that all cyber business requirements are met, including internal governance and external regulatory compliance.