How to Strengthen your Cybersecurity Program

Nick Picano, Senior Consultant, Cyber Risk Advisory, Coalfire

The first step toward becoming physically fit is looking in the mirror, acknowledging your weaknesses, and making a commitment that you’ll do whatever it takes to improve yourself. This is true for personal fitness, but can this approach also apply to the cybersecurity program at your growing business?

In the fitness world, tracking the progress of your workouts and calories is key to being successful in achieving your fitness goals. By doing so you identify areas of strength, areas of weakness, and create a plan that will optimize your workouts and nutrition. This can put you on the fast track to achieving fitness goals you’ve only dreamed about. This approach can also be applied to organizations looking to mature their cybersecurity posture and reduce risk. To accomplish this, the organization must identify current strengths and weaknesses and make a commitment to improving. Without knowing where the organization is, you can’t effectively plan to get where you want to go.

Seems simple enough right? It can be, until you realize that people don’t like talking about their weaknesses. Instead of loosely organized conversations about your organization’s cybersecurity weaknesses, you can leverage any of the available security frameworks to evaluate your organization’s current cybersecurity fitness. Once you’ve settled on a framework, you can utilize it to evaluate areas of strength and weakness and develop a plan to strengthen your security posture.

A framework most are familiar with is the NIST Cybersecurity Framework (CSF). The NIST CSF is voluntary guidance, based on existing standards, guidelines, and practices for organizations to improve cyber maturity, measure, and manage cybersecurity risk. The framework is comprised of 108 subcategories, 23 categories, and five functions (Identify, Protect, Detect, Respond, and Recover). A cybersecurity framework like NIST CSF allows for a more structured approach to evaluating your organization’s strengths and weaknesses. However, simply identifying strengths and weaknesses isn’t enough to protect your organization against data breaches, business continuity disruptions, and the other concerns that keep business leaders up at night. After assessing your organization, you’ll need to create a plan to treat, mitigate, and manage the risks inherent to your security weaknesses.

Most organizations look to mitigate risks, however they quickly become overwhelmed with the dozens of weaknesses and the lack of resources to address them. So, where do you begin? Each of these weaknesses should be evaluated to determine the likelihood that the weakness can be exploited and its impact on the organization. Once you’ve determined the likelihood and impact, you can now build a prioritized plan to address the weaknesses, improve your cyber maturity, and reduce cyber risk.

Just like becoming physically fit, when you reach your goal, you’ll need to maintain it with even more of the hard work you’ve invested. Continued use of a cybersecurity framework facilitates your organization’s ability to monitor its shortcomings and develop and adapt strategies to maintain your desired cyber maturity or risk posture. Much like physical fitness, if your organization stops exercising its maturity improvements and risk reduction plans, it will fall out of shape. This may result in exposing new weaknesses, increasing risk, and generally being “out of shape” when responding to cyber incidents and events. The moral here is that much like personal fitness, a structured program that evaluates your current state, identifies areas for improvement, sets goals, and measures progress can help your organization whip your cybersecurity program into shape and maintain the benefits of all of your hard work.

Nick Picano


Nick Picano — Senior Consultant, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS