Middle market executives all tend to agree on the need to better secure their information and tighten up cyber security defenses. However, most are unsure about the best approach to take. Is it an IT initiative? Could periodic training help? Should there be independent reviews?
All of the above are applicable, but they need to be assembled into a well-thought-out process that can serve as a comprehensive information and cyber security program. Instead of spending time and effort on a number of disparate initiatives, you can get the most return on your investment by establishing an integrated set of activities within a cyber program based on proven methodologies.
NIST (National Institute of Science and Technology) has emerged as the leading cyber security methodology in the industry, and you can leverage NIST’s key elements as the framework to devise an effective program within your organization. NIST recommends a continuous series of efforts broken into distinct phases: assessing risks, remediating weaknesses, and validating defenses.
Assessing risks is accomplished by conducting periodic risk assessments to identify potential gaps. Risk assessments come in different flavors, ranging from technical vulnerability scans of various computing devices to reviews of information management and user computing policies and procedures. Risk assessments are essential first steps in identifying weaknesses and developing a remediation roadmap.
Remediation efforts should be planned in a way that best addresses criticality and the availability of resources in the organization. Weaknesses generally fall into several potential categories, ranging from critical to high, medium, and low. Critical weaknesses should be addressed as soon as possible; the others need to be built into an ongoing plan based on resource availability and priorities. Weaknesses also range in areas from underlying IT systems to educating users on acceptable information and cyber use practices.
Validation is based on the “trust but verify” concept of ensuring earlier remediation efforts have been effective by testing existing capabilities and questioning assumptions. Validation efforts can include penetration testing—activities focused on breaking into systems, or cyber game exercises—tabletop simulations of a cyber-breach. These exercises can help you learn more about potential weaknesses and improve earlier remediation efforts.
Your organization will be able to achieve the most from its information and cyber security efforts by following a proven methodology such as NIST to create an ongoing prevention system that is tightly aligned with IT and business resources and objectives.
Sassan S. Hejazi can be reached at Email or 215.441.4600.
You may also like: