Several years ago, an employee at an organization I worked for was terminated from his job, effective immediately. While being escorted from the facility this user picked up “his” backup media and started to leave the building. Fortunately, the security guards thought this was a little suspicious and escorted the user to the data center to ask whether this was permitted. They learned it wasn’t permitted and the user challenged the company’s right to confiscate of “his backup media”. In this case, the company had the foresight to implement an early version of a cybersecurity management program (CMP) backed by a CEO endorsed cybersecurity policy. This program contained a simple, mostly overlooked clause in the user account agreement that assigned ownership of all data created or stored on media written on by company computers, and the media itself, to the company without reservation. Since the user had signed this user account agreement, he had given up all rights to the media and its contents. The company retained the media and the former employee was summarily escorted off premises. The backup media contained some of the company’s latest designs, which he was attempting to steal. Without their CMP, the company could have been exposed to serious financial risk and potentially reputational damage.
Insights on Cybersecurity Management
Benjamin Franklin once said: “If you fail to plan, you are planning to fail”. Today’s cybersecurity equivalent is: “If you fail to manage cybersecurity, it will fail and your organization will be compromised , if it hasn’t already”.
More than ever, it’s important for organizations to plan, create, and execute effective cybersecurity management programs. When these programs are missing or partially adopted, structure, consistency of management, and comprehensive cybersecurity are compromised. An intruder only has to find one cybersecurity weakness to compromise your organization; your organization has to properly manage hundreds or even thousands of cybersecurity controls and settings, as well as user activities. Even if your technical cybersecurity controls are perfect, an errant employee can still attempt to exfiltrate sensitive information. This is where your wide-ranging CMP can help.
A failure to communicate issues is most often revealed in grassroots cybersecurity initiatives that have evolved into corporate cybersecurity programs. This typically results from an enterprise in startup mode implementing solutions to address specific technical challenges. Unfortunately, many organizations continue to employ the same approach to secure much larger and more complex environments. No longer simply a technical solution, cybersecurity management is now a business function as it has boardroom visibility. As a business function, a greater level of integration with other business units requires a greater level of transparency and performance reporting.
Top 5 Keys to Success
Organizations should not underestimate the necessity of developing and implementing an effective cybersecurity management program (CMP). The introduction of a CMP affects virtually every individual or group in an organization, so it is essential that the final cybersecurity program address everyone’s needs. If organizations apply these statements in the order given, they will have the highest probability of successful development and implementation of a CMP:
1. Identify and gain support and commitment from a member of the Senior Leadership Team (SLT) to introduce a CMP.
2. Develop an enterprise wide cybersecurity program charter (effectively the cybersecurity strategy for your organization) and submit to the CMP sponsor for socialization with the SLT and endorsement by the CEO.
3. Create a CMP project work plan, the first task of which is to develop the cybersecurity policy. In larger enterprises, it is likely that multiple project managers may be necessary.
4. Establish and mandate a document review process and version management system to support ongoing management of CMP documentation.
5. Complete work on the Cybersecurity Management Framework’s strategic elements first. However, it is also likely that multiple elements may be developed in parallel especially where there are no or few dependencies between the elements.
Find the other 5 keys to successful CMPs in Cisco Security’s new white paper:
http://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-management-programs.pdf
Developing your CMP
Development, implementation, and maintenance of a cybersecurity management program for an organization is not a small undertaking. However, the overall value that organizations achieve through development and implementation of such programs includes reduced instances of successful cyber attacks. Moreover, a cybersecurity management program provides organizations with a means to reduce a successful attack’s impact due to its programmatic predefined approach for identifying and responding to cybersecurity incidents.
Great information from Stuart on key success factors for building a CMS. So many times, a lot of effort goes to waste in attempts to build an Information Management Security Program because it doesn’t include all the key players necessary for success or doesn’t receive the formal support of senior management and the Board. This is great advice and a must read for anyone tasked with building or updating such a program.
Thanks for sharing your war stories Stuart. Good lessons learned and a truly reference white paper also. I greatly enjoyed reading both.
A very useful lesson Stuart in how easy it CAN BE to secure organisational non-public data with a little advanced planning and foresight. “Be Prepared!”
Great information from Stuart on key success factors for building a CMP. So many times, a lot of effort goes to waste in attempts to build an Information Management Security Program because it doesn’t include all the key players necessary for success or doesn’t receive the formal support of senior management and the Board. This is great advice and a must read for anyone tasked with building or updating such a program.
A comment in Cisco’s newly published 2015 Mid Year Threat report (http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html?keycode=000854768) comments that: ‘Lack of access to in-house security expertise is a key factor for the piecemeal or “patchwork quilt” approach that many companies take when building their security defenses’, also supports the need for companies to define and use a Cybersecurity Management Program (CMP).
When staff shortages are rife having an operational program written down and followed will save time and will support the staff that the company still has perform the most effectively and efficiently they can – they don’t have to continuously reinvent the wheel.
Using a CMP also supports elimination of a patchwork security defense, since it encourages a well-thought out, consistent and manageable approach to protecting information.
Thanks for the Great information Stuart!!