It’s Not Just Cybersecurity Management
Two takeaways from an explosion of cybersecurity chaos are:
We continue to spend and expand the markets for cybersecurity technologies, yet The causes of the breaches increasingly point to a set of people/process vulnerabilities versus technological exposures.
If someone just dropped in from Mars, they might wonder why we spend so much on technology and spend virtually nothing on the base causes of attacks? My experience in Managed Security Services says that most companies today lack any sort of thoughtful strategy for defense against cyber attacks and have never bothered to create even a basic Risk Management Framework.
The Best Place to Start
While this is not rocket science, it seems that companies without a formal or even a designated CISO claim that they don’t know where to begin. Like most other apparently complicated problems, the best place to start is with a list and guideline (aka, a Risk Management Framework), like the current, revised version available free to anyone at NIST (The U.S. National Institute of Standards and Technology).
This particular framework will provide a disciplined and structured process that integrates risk management activities into your system development life cycle and will enable your executives to make better and more informed decisions. Making better risk decisions involves understanding what your information assets are and where they reside, the costs to protect and defend against a breach and the degree to which you are willing or able to accept varying levels of risk.