Get Started

Prepare for the Cybersecurity Championships!

  • 3 min read

Share this post

It’s June, which in the world of professional sports means the NBA finals are underway. This year, our beloved Boston Celtics are favored to win it all. 

I couldn’t be happier! They have skated through the playoffs (despite big man Kristaps Porzingis being injured for most of it) and players like Jayson Tatum, Jaylen Brown, and Derrick White have been so much fun to watch.

I even take some credit for the Celtics’ spectacular season this year, since they won every game I attended. Granted, they were 37-4 at home. Even so, I like to think of myself as kind of a Celtic lucky charm and I expect them to win another title.

But when the season ends, things will inevitably change. Players get traded or retire, free agents find better deals, rookies join the team. As Jerry Seinfeld points out, with all the roster changes year to year, we don’t really root for the players, we root for the uniforms.

Whatever the outcome, everyone involved will take time to relax, recharge, and rest up for next year.

Cycles, Not Seasons

The inherent rhythm of professional sports – work really hard during the season and rest for a few months when it’s over – is exactly not how things work in cybersecurity. There is no offseason … the “season” is always on.

The bad guys never rest, which is why cybersecurity requires ongoing, daily focus. If your team is not continually paying close attention, your program won’t be successful. 

Still, not all cybersecurity functions require the same frequency of attention; I like to think in terms of a spectrum of activities, each with its own cycle. Broadly speaking, these fall into three buckets:

#1. Things that require constant vigilance.

This includes activities such as network monitoring (keeping an eye on the behavior of your environment, notifying you if something unusual is detected, and taking steps to contain the problem) and patching (fixing software bugs that, if not corrected, may be exploited by bad actors).

As with fire alarms and door locks, to be effective, these types of things need to be operational at all times. 

#2. Things that require regular upkeep.

Cybersecurity awareness training falls into this bucket. You’re not going to train everyone, every day. But you want programs in place that ensure your people are well aware of threats and how to deal with them.

For example, phishing is a common (and often successful) type of cyber attack in which email recipients are tricked into taking a harmful action or revealing sensitive information. This can’t be prevented through technology alone – it happens when uninformed members of your team are caught off guard.

Fortunately, there are many cybersecurity awareness vendors that will both train your staff and conduct occasional phishing tests to keep people up to speed. Make sure this is a regularly scheduled part of team development.

#3. Things that should be done periodically.

Pen tests – These are manual, human-operated test performed by an “ethical hacker” to simulate an attack. 

In addition to being done annually, Pen tests should also occur with major infrastructure or system changes; prior to launching a new product or service; after a security incident; or as required due to industry compliance or regulatory standards.

Internal audits – These ensure your practices are effective, compliant, and secure and that you are living up to your customer contracts.

Here, the frequency is a function of the activity itself. For example, you may decide to check employee offboarding every quarter, but you may only need to check on your vendor approval process twice a year.

Whatever the specifics, you need to create a schedule and stick to it (internal audits are notorious for being back-burnered!).

Vendor evaluations – These are done to ensure your vendors are handling your information as they should. They are typically done based on a business need, such as a new compliance program.

But you don’t need to wait for an event to perform a vendor evaluation as these can uncover vendors you didn’t even know you had or reveal areas of weakness among vendors that provide some type of critical functionality to your organization — and that you don’t want to risk losing!

The Next Season Begins Tomorrow

In the business world, each of us is constantly juggling a never-ending list of priorities. So of course, when things get hectic, some of your regularly scheduled cybersecurity activities may need to take a (very) temporary back seat. 

Just remember that some things need to be paid attention to more frequently than others and that a new season begins every morning – we don’t get to head to the islands or the golf course when the playoffs end. 

Speaking of which, given my proven lucky presence at home Celtics games, if anyone wants to guarantee a championship against the Dallas Mavs this month, feel free to invite me along!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

Cybersecurity Efforts Evolve Over Time

Rob Black

A Guide to Virtual CISO Costs

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales