Core Principles of a Resilient and Adaptable Cybersecurity Program
For growth and innovation, know your cyber security status.
The COVID-19 pandemic has dramatically increased the use of digital assets (such as mobile devices, Bring Your Own Devices (BYOD), cloud solutions, and other emerging technologies), highlighting the need for a resilient and adaptable cybersecurity program. Businesses that do not have a clear understanding of their cyber security posture are slow to grow and innovate or unknowingly introduce risk that may prove detrimental to their survival.
Foundation of a resilient and adaptable cybersecurity program
Categorize data and digital assets in terms of strategic importance and overall risk to the organization.
Businesses should understand the data they own, process, store, and transmit; how the data flows between systems; what digital assets are used and how; and who the internal and external users are. This should include third-parties who operate and maintain systems on behalf of the organization, system interconnections to external systems, and third-parties with access into the organization’s network.
Pay close attention to how the system is used to determine strategic importance. An IT service ticketing system may not be critical for ongoing business operations but when used to retain reports containing sensitive information (PHI, PII, etc.), a breach of the system could pose a significant risk to ongoing business operations.
Perform a risk analysis to identify critical risks and vulnerabilities to confidentiality, integrity, and availability of digital assets and underlying data.
Starting with the most critical data and digital assets, businesses should identify potential risks and vulnerabilities to those assets, assess the effectiveness of currently implemented control practices, and analyze the potential likelihood and impact of risk occurrence.
This goes beyond a compliance assessment or a gap analysis. This requires a program to proactively identify and manage risks to critical data and digital assets throughout the life-cycle - from acquisition, development, integration, use, maintenance, and disposition. Not just performing a “check-the-box” assessment.Prioritize mitigation of critical risks to minimize major disruptions to the business.
It is not practical or feasible to mitigate all identified risks. That is why businesses should develop a framework to prioritize and mitigate risks that are critical to the business goals and missions.
Businesses should consider the time and resources needed to effectively manage the identified risks - giving higher priority to critical risks that require the least amount of time and resources. For example, a vulnerability that - has a high likelihood of being exploited, has patch available, the patch can be easily tested and deployed, and has no mitigating controls in place should be given top priority. Foster a culture of security and compliance.
Everyone, from the front lines to the back office, should have a clear understanding of what information is sensitive, how to protect it, how to report potential incidents, and how to respond to an incident.
A dysfunctional culture can have major consequences for an organization. For instance, a data breach caused by misuse of administrative access or shared credentials might be related to senior management's need to bypass access controls. A security-informed culture is key in reducing unintended or accidental negligence.
In Summary
A strong cybersecurity foundation starts by understanding what is at stake. Knowing the status of critical digital assets, data flows, control practices, and risk exposure is the foundation of a good cybersecurity program. Using this knowledge, businesses can prioritize resources to build a resilient and adaptable cybersecurity program that fosters organizational growth and innovation.
We’re here to help
Contact us if you have questions regarding cybersecurity programs. We help businesses build holistic cybersecurity programs while driving compliance with relevant laws and regulations.
Stella Bridges
Stella.bridges@secliance.com