I wanted to start by thanking Yotam Gutman for asking me to become a guest blogger on Cytegic. IT security or cybersecurity are both terms that we hear quite often these days. All of the T.V. news stations are constantly bringing this ever-growing need for increased cybersecurity measures into the limelight. Most recently, the data breach that occurred at Sony Motion Pictures brought an ever increasing attention to protecting company as sets, such as intellectual property.
We may think to ourselves, it’s just a movie right? Well, in actuality it is a piece of intellectual property and the network breach cost the company in the upwards of $100 million according to Businessinsider.com. I have some personal recommendations that I believe is a practical, no nonsense approach to making sure, that senior leadership understands the significance of cybersecurity. First, senior leadership in any organization needs to understand that cybersecurity is a joint effort, and requires buy in from them. Meaning, if senior leadership at the C-level does not take their cybersecurity measures seriously, they will undoubtedly not invest any money into furthering the company’s stance on cybersecurity measures. So, you’re probably wondering, how do I get the C-level executives in my organization to take cybersecurity more seriously and invest in the company’s future through enhanced cybersecurity measures? Hack their personal computers and post their vacation pictures on the company website or blog? That is just a joke everyone, so please do not hack your CEO’s computer. But in all seriousness, how does any leader in cybersecurity take the in initiative to speak to their C-level executives and Boards of Directors. It can definitely be a daunting task to say the least, but a very important one!
So, what can companies do to prevent a data breach from occurring to them? In the next few paragraphs, I will be writing in detail a practical strategic approach in implementation of a full cybersecurity initiative split into 3 phases. Taking a pro-active approach by implementing an effective IT strategy to encompass IDS, DLP, and an overall effective IT security framework will be key factors in protecting a company’s network. But we must have a strategic approach. Here are my suggestions;
Hold a meeting with your immediate team members and discuss your vision for a complete overhaul of the current information security program already in place, or start a new cybersecurity program. Identify your target audience, C-level executives in the company and Board of Directors. Identify the allocated budget to IT security and make changes as necessary. Remember, the budget or funding that you and your team will be requesting will be dis cussed in Phase 3. As part of your request for additional funding for your team, write down recommended servers, computers, software, peripherals, training, and so on…
The beginning of phase 2 will consist of your team identifying which IT security framework will best meet the needs of your company. This will most definitely vary depending on company culture. Have a serious discussion with your team, and discuss the benefits associated with your choice of implementing an effective IT security framework. If your company’s policies and procedures are updated often, then it may be wise to implement the ISO-27002:2013 framework. Due to the language in the ISO-27002:2013 framework to be open to interpretation, you can have more flexibility in changing controls to suit policy objectives. However, if your organization’s culture will allow for almost a military approach to cybersecurity initiatives, then implementing the SANS 20 Critical Controls would be my personal recommendation. There are of course, other IT security frameworks to choose from, so you don’t have to limit yourself to ISO or the critical controls.
Those are my personal recommendations. Prepare with your team and conduct a whiteboard session and write down your progress thus far. Once, all of your team members see your collaborative efforts together on the whiteboard, it will make them feel even more involved. Phase 2 will end with creating a proposal for the upcoming meeting with the C-level executives and Board of Directors. Remember, your proposal should cover everything thus far and not leave anything out. Also, make sure to include the time-frame for the implementation of the cybersecurity initiative.
Schedule a formal meeting with your C-level executives and Board of Directors. Have ready a PowerPoint presentation with a only a few bullets per-slide outlining your vision for the company. Remember, you are presenting to your C-level executives, and so on…They don’t have the time to sit through a long and boring presentation. Make it serious, make it concise, and simplify it for them to understand. Do not use lingo they will not understand. Remember, they don’t know what you know. Make it simple. Follow-up and discuss the proposal.
Hopefully, you get the excellent news that you deserve and are expecting with your proposal being accepted, and having the funding for your teams cybersecurity initiative. If for some reason your proposal gets rejected, do not let this minor setback discourage you. More than likely, the rejection will be due to budgetary constraints and funding. Remember, do not let this setback discourage you. Find out what an appropriate operating budget would be and request it in your revised proposal. Remind your senior leadership again and again, that cybersecurity is a joint effort and implementing a cybersecurity initiative as outlined in the 3 Phases will be key to the company’s success. Reach out to me and let’s connect! I am an accomplished professional in the field of cyber security specializing in information security and information assurance management. Currently sponsored and endorsed by the US Department of Defense in collaboration with National Centers of Academia Excellence in Information
Assurance and Cyber Defense Operations.
Please visit my blog The Cyber Times and also my LinkedIn page today!
Alex A. Akyuz, MS
Richwine, L. (2014, December 9). Sony’s Hacking Scandal Could Cost The Company $100 Million. Retrieved January 21, 2015, from http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12