Following in her older brother’s footsteps, my 12-year-old daughter took her turn on a recent Saturday when she had her Bat Mitzvah.
She chanted from the Torah (in Hebrew, without vowels, thank you very much) and gave a speech on the meaning of her Torah portion (okay, that part was in English). She did it all beautifully and we were extremely proud of her.
Mrs. Black, an accomplished event planner, oversaw a picture-perfect weekend of elegant meals, well-executed parties, and flawless guest management. From start to finish, she made sure everyone — friends, family, even the vendors — had an amazing time.
There was also a lot to be done prior to the event itself: speech preparation, a photo slide show, vendor management, and more. Over the past couple of months, we both felt like we had a second full-time job.
Now that the weekend has come and gone (and both our children are technically “adults”), the household energy has dropped considerably. Sure, we still need to review photos, pay bills, and send thank you notes. But without a firm deadline to meet, the immediate urgency has passed.
So what does the Black family do having completed its goal? Set some new ones, of course.
There are end-of-school-year dance, piano, and cello recitals. We need to get the kids ready for summer camp. And you can bet Rachel and I will be planning some dinners and other happenings with friends and family once summer is in full swing.
As it turns out, cybersecurity works in much the same way.
Typically, our work with a new client begins with big, ambitious goals. Once these are realized and things settle in, we continue with a steady stream of smaller programs and actions.
At the beginning, the specifics are often not well defined in our clients’ minds.
What they do know is they want a “more mature” program — one that helps them confidently respond to customer questions and allows them to sleep well at night, knowing their cybersecurity is handled.
So we put together a program to get clients on the right path forward. Then, month after month, we accomplish one or two small goals at a time:
- Incident response plan. Check.
- Email configuration hardening. Check.
- MFA deployed for all systems. Check.
- AI Acceptable Use Policy. Check.
- Cloud security evaluation. Check.
Eventually, and usually somewhere between months 18 and 24, we arrive at the point our clients initially envisioned. (You can think of it as a “cybersecurity bat mitzvah,” if that’s helpful.)
Now, the company feels a lot better about its security.
Those terrifying security questionnaires? The client can now respond with clear, accurate information that is well received by its customers.
Those nail-biting discussions with senior management about cyber risk? These are now mature, thoughtful conversations in which mitigations are outlined and trade-offs are weighed.
But that’s just the beginning…
Cybersecurity is Not a One-Time Event
Over time, things change. That’s fine and to be expected.
Maybe the company has grown significantly. Maybe the company’s vertical market or environment has become more complex, requiring more or different security.
And while the investment in cybersecurity needs to continue, at this point, a full-time, in-house cybersecurity person may no longer be needed.
Still, as circumstances evolve, steps must be taken to respond accordingly:
- People leave the organization. Credentials for those users need to be turned off.
- Employees bring on new vendors. Those vendors need to be evaluated.
- Vulnerabilities for existing systems are announced. These need to be patched.
Plus, there must be clear, explicit goals in place to keep you in “cybersecurity shape:”
Yes, we are going to do a quarterly internal audit.
Yes, we are going to do an annual table top exercise.
Yes, we are going to do monthly vulnerability reviews.
There is no one-size-fits-all program, and different security professionals may disagree on the type and degree of investment needed.
Whatever the specifics, making informed, considered trade-offs, with the goal of optimizing organizational risk for the level of spend, is a sign of a maturing organization and a robust cybersecurity program.
Speaking of informed, considered trade-offs, Rach, have you decided who we are going to have dinner with two weeks from tonight?
