All the characteristics associated with it and managing challenges would need to be evolved with every passing milestone. These challenges are broadly categorized into Internal and External; while most of the internal ones are proactively dealt with and policies enforced from time to time; addressing the external challenges aka threats requires some serious motivation especially at the CISO's office. Any form of complacency in Cybersecurity in any organization is what the adversaries would be waiting for and believe me with their creativity they would not mind being called DUDS to promote the Organizations false security posture.
The Cybersecurity can never be achieved with Random acts of Mitigation. One must plan meticulously, define elaborately the rules of engaging the resources and monitor the status continuously. In order to accomplish a stable security posture, it becomes imperative to take a step back and if possible get Outside-In View of the Business Holistically. Trust me, The security feature in your Medulla Oblongata will witness revelations. Now you know what you need to do: now is time to plan and put up your Guard. You can simple rely on these tenets and build on it.
Culture helps establish the behaviour and perception of various stakeholders; their interest, abilities and affinities. Spend as much time as possible to understand stakes and rewards; the advocates and the opponents because once the security program is proposed you would know who is revolting and who is ready to accept. If there is a majority of workforce on the opposite side then you would need to spend time in awareness, spreading the good word conducting focus group sessions and educate the opponents with regards to risks and benefits; because at the end frontline workforce is the first contact for any attack and an educated workforce can guard the best. The most important missing link in any organization is the process and the means to communicate, relay and collaborate: One to Many, Many to Many and Many to One: Realtime... With the workforce being educated; a full duplex communication system is a boon in situations.
Most of the organization might not have gone through the Enterprise Architecture-EA route while in the initial stages and its really a behemoth task to reshape it at a later stage. But defining the Organization structure with respect to an EA has benefits which can last really long. Keeping the possibility aside; a good approach is to identify 2 aspects of the enterprise: The Environment Factors in which it conducts its business which should be superimposed onto Enterprise Risk Environment.
The Enterprise Environment Factors include but not limited to: Organization Structure, Business Goals, Policies, Regulations, Compliance requirements to be fulfilled, Various Business Systems in place, Geo/Political/Economic influences which can make or break or change the entire business landscape.
Enterprise Risk Environment is nothing but the overall Enterprise risk distributed into segments: such as overall Risk is the cumulative sum total of all the Enterprise Environment Factors put together. These are segmented into Strategic Risk, Business Environment Risk, Market Risk, Operational Risk and Compliance Risk underpinned by IT Risk overarching all the risk segments which can be further divided into IT Enablement Risk, IT Projects and Operations Risk.
If Enterprise Environment Factors and Enterprise Risk are aligned / superimposed then most of the Risk elements are covered in segments and appropriate Risk Response Strategy can be adopted. It goes without saying that all these risk elements should have an owner from the Business and can never be a responsibility of the Cybersecurity Team.
To help enable the visibility of the Risk Elements: Business Owners can resort to a Model which focusses and aligns Business Principles and Policies to that of Culture, Behaviour & Processes connected with all the resources available to execute the Business Objective. Further, to mitigate each prioritized risk, business owners should apply a Cost Benefit Analysis when adopting a control to respond to any risk. A rule of thumb suggests that benefits have to outweigh the cost of the corresponding control. This also helps in an objective justification of budget allocation and unbiased stakeholder Buy-in
Before agreeing for and establishing a review mechanism: Identification of KGIs, KRIs, KPIs is greatly emphasised. These form the Metrics to Monitor - REGULARLY. These Metrics can be incorporated in the Risk Register at the time of identification of the Risk itself. As the risk takes the risk management lifecycle path; the metrics should shape up diligently.
Further the KPIs should then be aligned with respective Business Goals so that the progress can be measured directly in conjunction with the over all Business Goal providing accountability and traction across the value chain because there are several layers involved in the operations and delivery.
Review and Monitoring would give way to Continuous Improvement-CI Initiatives; which can be accomplished with the help of simple yet effective Deming Cycle aka PDCA Cycle. If the CI tasks are complex and/or have to be deployed in a matrix environment then there is a 7-Step Improvement process which of course is resource intensive but can derive guaranteed results. Both these tools can be repeated as many times as desired to improve the results over an extended time scale.
As described earlier in the article, these 3 tenets are the outcome of a step back approach and when combined in a single strategy to establish a sound Cybersecurity Philosophy there is very little that drops from the CISO's radar and that it can help save CISOs RAM for good. Peace Out....!!!!