If you are reading this article, you probably are in the C Suite or must have a direct line to the CxO's office; or maybe someone who is tasked to work in the Cybersecurity Policy of your Organization; or maybe someone with so much curiosity so to find out The Whats and The Whys of a Cybersecurity Policy. Whether you are a fresh grad or an executive climbing up the corporate ladder, if you are in the IT or Infosec Domain, this article can help highlight some of the focus areas to pinpoint.
While most of us work in Cyberspace, when was the last time we read the Corporate Cybersecurity Policy, Where to Find It and Who Owns It? If not you, do the frontline workforce know where to find it and when to read through it? The least of all: how and where do you report that suspicious email?
All this has a direct bearing on the effectiveness of the Cybersecurity Program of the Organization; hopefully, it is not that bad because please remember and remind everyone that awareness is one of the most effective controls, which costs the least.
1. Cybersecurity is Chairman's Pet
We Need one in Place, and no one disagrees - of course, it's good to have and nice to show off. If the Board does not support the initiative, it means it doesn't sync in with the Enterprise Architecture (EA); if it is not coupled with EA, then Cybersecurity is not addressing any business risks, and the Business Owners do not own any of the controls put in place to assist the operations and continuity. The security budget will be reviewed Next Year. SIEM and Scanners were deployed last year; Time to Try End Point Security this year, and the saga is continuous...!!!
2. CISO is the additional responsibility of one of the other CxO
The Chief's paycheck takes away about 30 % of the Cybersecurity budget; I think the COO should take it up since it is all associated with Operations. As such, Operations would have more resources than any other department. Chiefs of Operations and Tech combined handle most of the Organization's execution, so the COO becomes the C(CIS)OO and the next level to carry out the Cybersecurity Priorities of our Tactical Workforce. Try to understand the emotion of IT Security in its Falsehood
3. Asset-based Risk Assessment
Chop Chop... The Corporate Website behaves weirdly and takes forever to load. IT Says no anomalies were reported; it should be a bandwidth issue. After a month, the IT Procurement report says it did not renew the Certificate. By the way, who should be raising that PO? Corp Website is the Organization's Asset. The Organization should raise the PO. Period. For Procurement, it is just a line item, and that too when it gets into the system after approval. After, can we renew the Certificate with a subsidy or find another one who gives a certificate for less?
4. Cybersecurity is a subset of Corporate IT
C(CIS)OO and CTO work together well, and it is an excellent model to create a team within the Corp IT and call it SOC. The CTO knows a guy in Corp IT who is a Snort Geek and an Nmap wizard. Excellent start; 3 months later, we have a full-blown Cybersecurity Lab with SOC on the Corp Network and are monitoring everything. Reports confirm few incidents which are nothing but false positives, and by the following review - it's 80 % conforming to Enterprise Security Compliance
5. Periodic Review of Threat Landscape
It has been two quarters, and we are now fully operational from Lagos, Nigeria, and our production capacity has increased by 20%. We have contracted with Local IT Vendors, the primary ISP providers in the region. No issues so far. We also have established direct connectivity to the Corporate Network. We plan to deploy the firewalls and integrate them with SOC next year with the next corporate IT/Cybersecurity Budget cycle. And nothing is provisioned as a Notification Alarm during an emergency because none has been identified so far.
Throughout the Business, it is evident that all resources and workforce are consumed for the execution. Still, at the same time, its mission is mission-critical to establish security logistics through implementing Enterprise Architecture (EA) coupled with Integrated Risk Management Solutions (IRM). The Board's involvement in the direct oversight to govern the Business environment with the help of EA and IRM is a must, without which there is absolutely no point committing to and spending for Cybersecurity.
It can start with a Business Case to justify why a Cybersecurity program is required with all Threats and Opportunities outlined with a full-blown list in the Risk Register. Each Risk and its Control should be aligned with an owner. A Periodic review of EA, IRM and Risk Register has to be a Mandate to any organization, big or small and cannot afford a miss. One Place to seek guidance is NIST, which can adapt to suit the Organization's needs.