The first step toward becoming physically fit is looking in the mirror, acknowledging your weaknesses, and making a commitment that you’ll do whatever it takes to improve yourself. This is true for personal fitness, but can this approach also apply to the cybersecurity program at your growing business?
In the fitness world, tracking the progress of your workouts and calories is key to being successful in achieving your fitness goals. By doing so you identify areas of strength, areas of weakness, and create a plan that will optimize your workouts and nutrition. This can put you on the fast track to achieving fitness goals you’ve only dreamed about. This approach can also be applied to organizations looking to mature their cybersecurity posture and reduce risk. To accomplish this, the organization must identify current strengths and weaknesses and make a commitment to improving. Without knowing where the organization is, you can’t effectively plan to get where you want to go.
Seems simple enough right? It can be, until you realize that people don’t like talking about their weaknesses. Instead of loosely organized conversations about your organization’s cybersecurity weaknesses, you can leverage any of the available security frameworks to evaluate your organization’s current cybersecurity fitness. Once you’ve settled on a framework, you can utilize it to evaluate areas of strength and weakness and develop a plan to strengthen your security posture.
A framework most are familiar with is the NIST Cybersecurity Framework (CSF). The NIST CSF is voluntary guidance, based on existing standards, guidelines, and practices for organizations to improve cyber maturity, measure, and manage cybersecurity risk. The framework is comprised of 108 subcategories, 23 categories, and five functions (Identify, Protect, Detect, Respond, and Recover). A cybersecurity framework like NIST CSF allows for a more structured approach to evaluating your organization’s strengths and weaknesses. However, simply identifying strengths and weaknesses isn’t enough to protect your organization against data breaches, business continuity disruptions, and the other concerns that keep business leaders up at night. After assessing your organization, you’ll need to create a plan to treat, mitigate, and manage the risks inherent to your security weaknesses.
Most organizations look to mitigate risks, however they quickly become overwhelmed with the dozens of weaknesses and the lack of resources to address them. So, where do you begin? Each of these weaknesses should be evaluated to determine the likelihood that the weakness can be exploited and its impact on the organization. Once you’ve determined the likelihood and impact, you can now build a prioritized plan to address the weaknesses, improve your cyber maturity, and reduce cyber risk.
Just like becoming physically fit, when you reach your goal, you’ll need to maintain it with even more of the hard work you’ve invested. Continued use of a cybersecurity framework facilitates your organization’s ability to monitor its shortcomings and develop and adapt strategies to maintain your desired cyber maturity or risk posture. Much like physical fitness, if your organization stops exercising its maturity improvements and risk reduction plans, it will fall out of shape. This may result in exposing new weaknesses, increasing risk, and generally being “out of shape” when responding to cyber incidents and events. The moral here is that much like personal fitness, a structured program that evaluates your current state, identifies areas for improvement, sets goals, and measures progress can help your organization whip your cybersecurity program into shape and maintain the benefits of all of your hard work.