2019 – Make it the Year for Cyber Resilience

Did you work hard last year to improve cybersecurity?  Did you manage it well, or get lost in the details?  Some organizations handled it well, and others had trouble meeting cyber resilience goals. In 2019, make it the year for cyber resilience success. Resolve to elevate your perspective for cyber security.

Here are five principles to help increase your cyber resilience this year.

Resolution 1: Learn from others’ mistakes.

The new cybersecurity poster child is Equifax. Their breach exposed a new level of negligent behavior and its resultant damages. Estimates of direct expenses as high as $275 million have been reported, and long-term legal expenses may be in the billions of dollars.

Resolve to learn from Equifax by implementing policies and processes based on national standards developed by experts (e.g., NIST CSF).  Training your people, and having solid policy and process, you will doubly make sure they’re being executed.

Resolution 2: When a need is obvious, take action now!

Stock index evaluator MCSI gave Equifax a 0 for 10 rating before its major cyberbreach. Eleven months later when the breach occurred, management had still failed to ensure that well-understood policies like applying patches were being carried out regularly.

Resolve to act immediately and put a remediation plan in place if you become aware of shortcomings in your program. The 3 P’s – People, Policy and Process – should become your company mantra for cyber resilience.

Resolution 3: Be deliberate about improving continuously.

Given the dynamic nature of cyber threats, if we don’t move forward, we move backward. A wise mentor repeatedly said, “No plan is a plan to fail.” To get the most from your continuous improvement program, base it on established standards that provide a comprehensive framework for assessing current status and choosing appropriate next steps.

Resolve to establish a program of continuous improvement based on generally accepted standards like NIST CSF and industry-specific standards like FFIEC CAT.

Resolution 4: Share responsibility across the organization.

While IT and Security carry the majority of the burden for ensuring cyber health, many other stakeholders play critical roles. Not engaging them in an improvement program limits its value. For example, Human Resources introduces significant risk every time it onboards a new hire, and every time an employee departs the organization, and often security holes are left behind. Likewise, Purchasing can introduce risk by inadequately vetting the security practices of old and new vendors.

Resolve to include relevant areas in your improvement program, e.g. HR, Purchasing, Internal Audit, General Counsel, and Risk Management.  Create a culture where everyone understands his or her role in cyber security to create resilience up and down the organization.

Resolution 5: Audit cyber measures with similar rigor as financial audits.

The ultimate value of a continuous improvement program depends upon how well it is being implemented. Regular audits of your improvement program can reveal any shortcomings and suggest potential enhancements. By using accepted, well-documented standards, internal and/or external auditors will have a framework to guide them as they examine responses and artifacts provided by stakeholders.

Resolve to institute in your cyber policy and process regular auditing of your continuous improvement program to ensure that it is being implemented effectively, efficiently and across the organization.

---

Another wise mentor once told me, “Never mistake activity for results.” It’s easy to get mired in the details of managing cyber security and lose sight of the ultimate goal.  Executives need to ensure that they are doing the right things and be certain why they are doing them in order to have success.