If you are reading this article; you probably are in the C Suite or must have a directly line to CxO s office; or may be someone who is tasked to work in the Cybersecurity Policy of your organization; or may be someone with so much curiosity so to find out The Whats and The Whys of a Cybersecurity Policy. Whether you are a fresh grad or an executive climbing up the corporate ladder: if you are in the IT or Infosec Domain, this article can help highlight some of the focus areas to pin point.
While most of us work in the Cyberspace; when was the last time we read the Corporate Cybersecurity Policy; Where to find it and Who Owns it. If not you, do the frontline workforce know where to find it and when to read through. The least of all: how and where do you report that suspicious email?
All this has a direct bearing to the effectiveness of the Cybersecurity Program of the organization; hopefully its not that bad because please remember and to remind everyone; Awareness is the one of the most effective controls which costs the least.
1. Cybersecurity is Chairman's Pet
We Need to have One in Place and no one disagree - of course good to have and nice to show off. If the Board does not support the initiative means it doesn't sync in with the Enterprise Architecture (EA); if it is not coupled with EA then Cybersecurity is not addressing any business risks and the Business Owners do not own any of the controls put in place to assist the operations and continuity. The security budget is reviewed Next Year. SIEM and Scanners were deployed last year; Time to Try End Point Security this year and the saga continuous...!!!
2. CISO is additional responsibility of one of the other CxO
Chief's pay check takes away about 30 % of the Cybersecurity budget, I think COO should take it up since its all associated with Operations and as such Operations would have more resources than any other department. Chiefs of Operations and Tech combined handle majority of the Organizations execution so COO becomes the C(CIS)OO; and the next level to carry out the Cybersecurity Priorities are Tactical Workforce. Try understand the emotion of IT Security in its Falsehood
3. Asset based Risk Assessment
Chop Chop... Corporate Website behaves weird and takes forever to load. IT Says no anomalies reported, should be a bandwidth issue. After a month: IT Procurement report says it did not renew the Certificate. By the way who should be raising that PO. Corp Website is Organization's Asset. Organization should raise the PO. Period. For Procurement its just a line item and that too when it gets into the system after approval. There after: can we renew the certificate with subsidy or find another one who give certificate for less.
4. Cybersecurity is a subset of Corporate IT
C(CIS)OO and CTO work together well; and its a good model to create a team within the Corp IT and call it SOC. CTO knows a guy in Corp IT who is a Snort Geek and an Nmap wizard. Amazing start; 3 months later: we have a full blown Cybersecurity Lab with SOC on the Corp Network and we are monitoring everything. Reports confirm few incidents which are nothing but false positives and by the next review - its 80 % conforming to Enterprise Security Compliance
5. Periodic Review of Threat Landscape
Been 2 quarters, we are now fully operational from Lagos, Nigeria and our production capacity has increased by 20%. We have contracted with Local IT Vendors who are also the major ISP providers in the region. No issues so far. We also have established direct connectivity into the Corporate Network and we have a plan to deploy the firewalls and integrate with SOC in the next year with the next cycle of Corp IT/Cybersecurity Budget. And there is nothing provisioned as a Notification Alarm during an emergency because there is none identified so far.
In the course of the Business, it is obvious that all resources and manpower are consumed to the execution but at the same time; its mission critical to establish the security logistics through the implementation of Enterprise Architecture (EA) coupled with Integrated Risk Management Solutions (IRM). Board's involvement in the direct oversight to govern the Business environment with the help of EA and IRM is a must without which there is absolutely no point committing to and spending for Cybersecurity.
It can start with a Business Case to justify why a Cybersecurity program is required with all Threats and Opportunities outlined with a full blown list in Risk Register. Each Risk and its Control should be aligned with an owner. A Periodic review of EA, IRM and Risk Register has to be a Mandate to any organization big or small and cannot afford a miss. One Place to look for guidance is NIST and can adopt to suit the organizations needs.