“Next Level” Your Cybersecurity

Published on 16th November 2023 Author: Rob Black

“I have always found that plans are useless but planning is indispensable.”
– Dwight D. Eisenhower

I moved to New England in 1998.

I had been living in Missouri and I brought my State Farm Insurance with me. State Farm doesn’t have brokers here, but what did that matter? I wasn’t married, I had no kids, and I didn’t own a house. So I kept the same insurance with no broker to talk to, just the main office.

But over the next 20 years, things changed. A lot! By 2017, when I launched Fractional CISO, I had a family and some things worth protecting. I found an online, business insurance company, filled out the forms, and all was good again.

Well, sort of.

I had insurance, but it was a patchwork of policies and coverage – car, fire, home, business, umbrella. The policies were barely customized to my particular needs and none of them were coordinated with one another. I had no idea if I was under-insuring, over-insuring, or missing certain areas entirely.

Fortunately, I was soon introduced to John Dustin, owner of JED Insurance in Foxboro, MA. John is the ultimate big picture thinker; we began with a comprehensive look at my risk and the coverage needed. Not what people “like me” needed … what was right for me in particular.

For example, after visiting my office (yes, he came to my office!), John learned that at the time, we employed a remote, part-time admin. He said, “Rob, you need workers’ comp for her. If she has a ‘trip and fall,’ even though she’s not in the office and not on salary, it’s on you.”

I’d always had coverage, but thanks to John, I now had next level coverage – a customized, coordinated, comprehensive approach to insurance that took into account the specifics of my circumstances and my risk tolerance.

You Need a Cybersecurity Plan

If yours is like most established companies, you have plenty of cybersecurity “stuff” in place: multifactor authentication (MFA), software patching, virus protection, etc. It’s awesome that you have these individual things up and running.

But, like my patchwork of insurance coverage, if it’s not well thought out, coordinated, and specific to your needs, there are bound to be cracks. And, as with insurance, it only takes one crack in a critical area to cause extensive loss or damage.

That’s where a cybersecurity plan comes in – it’s like a business plan for your cybersecurity program. Many things can go into it, but here are some things to consider in putting one together…

What’s your philosophy? If you are an electrical grid provider, network availability might be your number one priority. If you make financial software, maybe it’s data integrity. If you process personal information, data confidentially might be your overriding concern.

The point is, you need an organizational understanding of what is most (and least) important so you can specify an appropriate level of protection to achieve your high-level objectives.

What is your security culture? Does senior leadership emphasize how important security is? Do they prioritize security over other functional areas? Are employees measured on their security practices?

I’ve got my own perspective on how important security is (very!). But what matters in creating a plan for your organization is aligning your on the ground approach with your security culture.

What security framework(s) do/will you follow? CIS Controls? ISO 27001? NIST 800-53? Again, you want to think comprehensively across the organization based on your circumstances.

What is in your security roadmap? What schedule of features, configurations, products, training, policies, procedures, and audits are or will be rolled out? Rome wasn’t built in a day and neither will your security program. A roadmap keeps you on track, ensuring progress and minimizing the need for ad hoc decisions in the midst of a crisis.

What is your assessment strategy? How frequently and by whom will your cybersecurity program and controls be assessed and modified as needed? An internal person quarterly? An external person annually? Some combination?

Whatever programs and controls you put in place at the start will absolutely need tweaking as time passes and things change. As part of your planning, think about how those adjustments will be managed.

Don’t Wait

As we have written many times before, there are other specific plans within cybersecurity that your company should be developing – Incident Response plan, Business Continuity / Disaster Recovery plan, etc. And, if you are just getting started, maybe you begin by executing your program and don’t yet worry about an overall plan or program.

But at some point, you want to develop a plan that looks at your organization holistically, from the top down. That’s really the only way to ensure you are managing risk as best as possible and without spending money on things that don’t add real value or align with your organizational philosophy.

As with insurance-related mishaps, the majority of cybersecurity events are not existential. And, fortunately, most bad things don’t happen to most people. But … every bad thing that happens, happens to somebody. Develop a plan so that somebody isn’t you!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).