President Biden stated, “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”
However, the real question is, are organizations ready to implement cyber defenses? The basis for this rhetorical question is that with the speed of change, IT transformations, new mandates, and the great resignation, among others, organizations may be challenged to implement cybersecurity strategically. There’s no lack of guidance for Critical Infrastructure or Corporate Infrastructure, with standards and frameworks, such as:
It has always been about implementation guidance; organizational [cybersecurity] resources have constantly been challenged with how to implement the vast amount of advice and mandates. The “how” is not clear, which leads to diverse interpretations. However, unlike critical infrastructure, the corporate infrastructure has even less guidance on the “how.” I suggest the following simplified methodology:
Does the cybersecurity team know my organization’s crown jewels/business-critical systems?
The answer to this question is critical for a well developed strategic cybersecurity plan; so here is an interrogatory question to ask and get you started:
Note: the word “system(s)” throughs off many “technical” people, as the focus goes straight to hardware and software. However, it is a bit more holistic than that; when identifying systems, make sure to encompass people, processes, and technologies.
Once you identify the people, processes, and technologies supporting your organization’s mission, vision, and services, the next step is to assess.
Establishing your cybersecurity baseline - to do that; you will need to perform a [quantitative and qualitative] risk assessment, so here is the information you will need to collect for this assessment:
These data points focus on business-critical systems and will be your starting point to strategically assess your organization’s cybersecurity posture in a risk-based way; this will also become the template for the rest of the organization.
The last step of this simplified and practical approach is to protect your organization against what you found during the risk assessment effort. Some may be easier than others, but even if you have to introduce projects to the budget cycle, be sure that because of your “identify” phase, you will be well prepared to justify your project.