Cybersecurity Programs Take Time

Published on 17th June 2021 Author: Rob Black

Were it not for a worldwide pandemic (maybe you heard about it?), I would have attended my 25^th college reunion at Wash U (Go Bears!) in St. Louis last month. Instead, the event was held online, and few people showed up.

That’s understandable. College reunions are not so much about exchanging vital information as they are about catching up with old friends, seeing how the campus has changed, shaking hands, exchanging hugs, and drinking a beer, or seven. Zoom just doesn’t cut it.

There is one advantage to a virtual reunion, though: no lead time required.

You don’t need to prearrange a plane ticket, a hotel reservation, or a rental car. And, maybe most significant in terms of preplanning, you don’t need weeks and weeks to get in shape and/or lose weight, two objectives that require the passage of time.

Well, guess what? When it comes to setting up a robust cybersecurity program for your organization, you can’t simply snap your fingers and put one into place overnight, either.

Cybersecurity Programs are a Process

When speaking with a prospect about establishing a new cybersecurity program quickly – often because they have a new customer that requires certain commitments – they invariable ask, “How long will it take to meet these requirements?”

My answer is nearly always the same: “18 months.”

At that point, I don’t necessarily even know the specifics of the program or the compliance requirements. But after going through this process dozens of times with a range of clients, I’ve learned that the specifics don’t really matter. Like losing weight, cybersecurity takes time.

“Can it be done faster?” they invariably ask.

Here, too, my response is pretty consistent: “Yes, but what are you willing to sacrifice to speed it up? Is this going to be your top priority, something that takes precedence over things like making sales or delivering on customer commitments?”

Their answer, of course, is “no.” As it should be. No company is going to dedicate 100% of its time over even a single month to get all its policies developed and put in place. It just won’t happen, and so a phased approach over several months is closer to reality.

Okay. So if it’s not overnight or even one month, which factors come into play in determining how long it will take? Let’s take a look…

How much time are you going to dedicate to this?

A security program comes at a cost – one of those is time. And sure, like an actor who works out five hours a day to take on a role as a boxer, you could push everything else aside to shrink the timeframe. But it’s not likely, nor is it advisable if the things you would push aside generate needed revenue.

So, start by figuring out what’s necessary to implement a new program. How many and what types of policies are you trying to put into place? How often will your internal team meet? What documentation and training are required? Use these and other key factors to create a realistic schedule that estimates how much time you will need.

Then double it. Since if my experience holds true, you are being way too optimistic.

What will the Cybersecurity Program’s impact be on the status quo?

Part of the reason cybersecurity takes time to implement is that it’s a contact sport – everyone inside your organization plays a hands-on roll. You can’t simply outsource it the way you might with the installation of a new HVAC system or the hiring of a new marketing agency.

Yes, professional cybersecurity experts can lead the way – developing a plan, helping you meet on a regular basis, tracking progress, keeping the team on track, etc. But like hiring a personal trainer, you’re the one who needs to get down there and do the pushups.

How well-informed and committed is senior leadership?

Anytime someone invites us in to talk about cybersecurity, it’s because at some level, they understand that things are not as they should be. They may believe that they are “better than average” (although on average, they are not), but even if they are, it’s not enough. “Above average” is not a high enough bar for surgeons, airplane pilots, or those who are trying to keep the bad guys from doing damage.

That’s why, in our experience, it all starts at the top with the CEO: does he or she have a risk-informed view of the organization? That means more than just having a bunch of security controls in place. It means understanding and committing to cybersecurity programs across the board, in a systematic and well-conceived manner.

More than anything, CEO dedication to cybersecurity is what correlates most strongly with the speed with which a new program can be put in place.

Cybersecurity Programs: No Instant Gratification

Maybe you’ve heard the old saying: It takes nine months to make a baby, no matter how many women you put on the job. As it turns out, when it comes to speeding things up, cybersecurity programs are likewise constrained.

With that in mind, it’s important to go into any new cybersecurity endeavor with eyes open and realistic expectations. It’s a process, involving you and your team, not a thing you pick off the shelf and install next Tuesday.

As for me, I’ve got five years lead time to get in tip top shape for reunion #30. There is no time to waste!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).