Cybersecurity can be overwhelming for decision-makers in an organization. There are so many threats that can impact your business that keeping track of them all, and coming up with ways to mitigate them can seem like a daunting task.
Fortunately, you don’t need to be a cybersecurity expert, or aware of every single threat to defend your organization’s assets. All you need are a set of cybersecurity goals unique to your organization and your industry.
No two organizations will have the same goals, so it’s important to follow a few steps to define yours.
1. Make a plan
The first step in achieving any goal is making a plan to meet that goal. Cybersecurity goals are no different. Create a cybersecurity strategy that will guide you in designing and implementing your information security program. This plan should outline your goals — the assets you intend to protect, the threats you’re protecting them from, the metrics you’ll use to measure your security function, and how your cybersecurity goals will protect your business. (We will get into each of these points a bit later) This plan isn’t just for the security team — your leadership should know the plan and commit to it as well, and everyone in your organization should have access to it.
2. Know how cybersecurity affects your business goals
Many businesses will implement cybersecurity controls because they “have to” – for compliance reasons or because they’ve been sold on a new tool. While compliance is important, it’s critical to understand how security intersects with your business objectives. This means understanding the specific data and systems that need to be protected in order for your organization to continue functioning, even in the face of an attack or breach.
3. Define your security goals
What specifically are your cybersecurity goals? Do you want to protect customer data? Keep attackers out of specific systems? Educate your team about cybersecurity hygiene? Do you want to make sure your business continuity is safe, even if an attack compromises some systems? It’s tempting to say “yes, I want to do all of that,” but the most effective goals are specific and measurable. Choose your biggest cybersecurity priorities and focus on the goals related to those.
4. List your critical assets and threats
Do you know what, exactly, you are trying to protect from cybercriminals? Knowing which assets you’re protecting is one of the first steps in securing them. This doesn’t necessarily mean securing only the assets that keep you awake at night — it means listing every asset that might be compromised by an attacker. This can be data, but it can also include mission-critical systems or networks. When you know what your assets are, you’ll also have a better idea of the threats that will compromise them. By listing your threats you’ll be better able to understand which controls will mitigate them.
5. Understand the costs
When security is seen as something that an organization has to have, and leadership doesn't properly understand it, that can lead to underfunding. Cybersecurity costs money, after all, and leaders may not feel it contributes to the bottom line. For this reason, it’s important to truly understand the costs of cybersecurity — not just what controls, tools, and staff cost, but the cost of not having those controls in the first place. How much will it cost if there’s a breach and no plan to contain it? According to the Ponemon Institute, the average cost of a data breach in 2020 was $3.86 million dollars — but that average can trend upward, depending on your industry and location. Know the costs you might be facing before you make decisions about your cybersecurity goals.
6. Develop metrics that will help you measure your program’s success
You can’t manage what you don’t measure, and so you’ll need to plan to measure the success of your security function. Choosing metrics isn’t always straightforward — some organizations measure too many, some choose irrelevant metrics, and others focus on reactive metrics. Pick a few key performance indicators (KPIs) that tell you how your program is performing. These KPIs should be relevant to your specific organization, should be easy to understand for leadership, and should be “leading metrics,” or predictors, that will offer you the likelihood of a future breach. A security rating, for example, is a leading metric.
7. Make sure cybersecurity is everyone’s job
You can have the best tools and controls in the world, but one phishing scan and an unwary employee can be the cause of a breach that may cost you millions. According to a recent report by Keeper and Ponemon, 48% of attacks on organizations involve phishing or social engineering — relying on tricking an employee or third party into giving up credentials or other valuable information. Social engineering scams are often sophisticated attacks that can target even well-trained employees, but cruder attacks (emails that claim to be from trusted sites can trick a person into clicking and entering valuable information)
8. Plan for your third parties
Your organization’s information infrastructure extends beyond your employees, and so should your cybersecurity strategy. Your third parties — vendors, partners, and suppliers — are part of your organization’s extended ecosystem. They often have access to some of your data and networks, and bad actors will often target third parties in an effort to steal the data of their clients. A cloud storage provider, for example, is an attractive target for a cybercriminal. A survey conducted by the Ponemon Institute and publicized via Security Boulevard found that 53% of organizations have experienced one or more data breaches caused by a third party, costing them an average of $7.5 million to remediate. In addition, the numbers of third-parties organizations work with are high and rising. According to Gartner, an average organization contracts with 5,000 third parties and 72% of compliance leaders expect that number to increase by 2022.
9. Build an ISMS
An information security management system (ISMS) goes beyond your cybersecurity strategy or goals. An ISMS is a set of policies, procedures, processes, and systems that manage information risks, such as cyber-attacks, hacks, data leaks, or theft. All the steps necessary to protect against threats are included in an ISMS. Creating and maintaining an ISMS is a task that requires input from more than simply the security team. You’ll also require input from leadership, and from the rest of your organization.
10. Plan for upkeep
You can’t simply set and forget your controls or your plans. You need to continuously monitor your program, and tweak it to fit new assets, new threats, and new stakeholders. To do this, plan to review your strategy, controls, and ISMS regularly, and also consider using a smart tool that will help you monitor your controls, the safety of your network, and any threats that might directly impact your organization.
How SecurityScorecard Can Help
SecurityScorecard’s security ratings offer a simple, easy-to-track metric that allows you and your organization’s leadership users to understand the cyberhealth of your extended enterprise at a glance.
Our security ratings use an easy-to-understand A-F scale across 10 groups of risk factors with 92+ signals so you can see, at a glance, where your security problems are and what actions you should take when any issues are discovered. Our platform alerts you to problems as soon as they appear and automatically generates a recommended action plan when any issues are discovered so you can stay proactive and prevent breaches before they happen.