5 steps for initiating cybersecurity implementations
Year 2020 brought about changes worldwide in lifestyle, relearning, and an acceleration and dependence on technology, which made many organizations modify their operation style.
Such change was so fast and unexpected that even IT teams were not prepared to face the situation, and in many cases, due to time, cybersecurity was neglected, as the priority in that moment was ensuring the business continuity above all.
The adaptation time to this new style of work, or, as some call it, “new reality,” has finished and, while depending directly on technology, it is necessary to consider the beginning of cybersecurity implementations in the organization. However, it is common that companies find it difficult to define how to start. Therefore, we will go over some basic steps before designing a strategy that will allow executing cybersecurity in the entire organization:
It may seem like a strange way of starting a plan for the implementation of cybersecurity, but also the most effective.
If your organization is, or represents, a financial institution, an official or a health organization, most likely there are laws or rules in the country that compel to the implementation of protective measures for the information security. Therefore, as a first step, it is recommended to identify which rules, laws or good practices must be implemented to operate correctly in the country o countries where the business is.
There is a regulatory entity for all organizations in the financial area, called SUGEF, where the agreement “SUGEF 14-17” was generated. This contains the minimal requirements for the management of information technology that the organizations, supervised and regulated by the Costa Rican financial system, must follow. In the IT field, this agreement perfectly aligns with the implementation of COBIT 5 or COBIT 2019.
Step #2 Support from Upper Management.
There is no step more important than other; however, this one has the particularity of being essential because the support of upper management is sometimes underestimated.
There is no project or initiative (in cybersecurity or other areas) that can be successful without the funds or work labor necessary for the implementation, and the only people that can provide these resources belong to upper management. Even if you are the president of a company, you will need the commitment, or at least the agreement, from other members of your team in the board of directors. If they do not support the project, this may be delayed or come to a halt.
Step #3 Establishing Objectives
It is important to interpret cybersecurity as a business case, where you want to invest certain resources and obtain positive results. Normally, it is believed that if the company reaches the originally established goals, it means that the investment was worth it. The opposite may happen if something is not working well.
Considering that things may become complicated, to accomplish a commercial advantage or reaching of goals, it is necessary to design and establish clear and quantifiable objectives. For example, an objective can not be: “We want to have security,” since it does not provide any information because it is not clear or quantifiable; on the other hand, “Involving a 2% of new clients that are interested in cybersecurity in the next 12 months” or “bringing down the cost of security incidents by 50% during the next 24 months” are correctly posed objectives.
An adequate identification of objectives will allow knowing when the quality of your cybersecurity is deteriorating, since cybersecurity can work from a position of continuous improvement.
Step#4 Frame of reference for the implementation of cybersecurity.
Once what wants to be accomplished is clear, it is necessary to define how it will be executed. Cybersecurity is not something that can finish in one or two weeks. It should be taken into account that a project will involve many people in the company, as their providers, commercial partners and clients. In the same way, it will imply changes in the procedures and current job responsibilities, in technology, in human resources practices, etc. Therefore, cybersecurity implementations mean hard work.
The most adequate is making use of frames of reference that are of public access and high efficacy. The most known are:
It defines how to implement and manage the information security management system.
It is a governmental and IT management frame.
NIST SP 800 Series
A series with more than 100 publications on IT security. It is mostly focused on technical security topics.
It focuses on improving the security of data in payment cards. This frame is made up by specifications, tools, measures and other very specific resources for the security of data and technical protection of payment systems.
ISO 22301 y BS 25999-2
It aims to the development of the business continuity management system.
Step #5 Training and awareness-raising
It is common that many organizations implement frames of reference and good practices in terms of cybersecurity; however, they leave aside work related to training and awareness-raising to all personnel in the organization and this may be considered one of the biggest mistakes when working in cybersecurity.
Many people within the organization see security, generally, as a load. It is not a secret that nobody likes to change passwords frequently, since it can become a challenge as they become more robust each time. And that same attitude is present in all other security rules. Hence, if the users do not receive an explanation as to why it is necessary, probably they will look for ways to evade those rules. The approach to this topic is to present the benefits for the company with these protective measures, which are a task and responsibility of everyone.
These steps, in spite of being basic, are the first that any organization must give in their field of cybersecurity. In case that your organization wishes to design its own strategy of cybersecurity and does not know where to start, let us work together and make it a reality.