Edit: In case you missed the show, we have a video of it posted at the bottom of this blog post. Enjoy!
We've been working on a knowledge base of helpful content for the cybersecurity community and one of the open questions we asked was, How do you build a cybersecurity risk management program in this current business environment? If your budget has been cut, but you're still expected to deliver on high expectations, what are the top, most important things you should focus on?
We decided to take that question and provide some answers (keep reading below). Additionally, we’ve organized a live, Ask Me Anything Q&A session on this topic for July 8. We’ll have our CTO and a few of our engineers ready to provide guidance from their experience, and from the things we’ve learned from all our customers and partners. We thought we’d keep it short (20 mins) so you don’t have to make a big time commitment to pick up some helpful info. If you would like to receive an invite to the 20 minute AMA, click here to register.
So, if you’re building a cybersecurity risk management program, what are the first 3 things you should focus on?
Let’s define this first. What is “Buy-in”? Buy-in refers to having the right people around your company bought-in to the idea of why your risk management program needs to exist.
Why is Buy-in important? Big company or small, very few things get built or grow well when they live in a silo. If you don’t have support from others around you, you’ll find it impossible to make it through cyber assessments, for example. You’ll need VPs to communicate why those assessments are so important. And you’ll need team managers, responding to the VPs, to make sure their teams are answering the assessment questionnaires. There are hundreds of other examples like this we could go through. Suffice to say, without Buy-in, you’ve got a steep up-hill battle ahead of you.
So, how do you get buy-in? This could be an entire post on it’s own. Join us in the live AMA mentioned above, we’ll definitely cover this. For the purposes of this post, let’s narrow the focus a bit. If you’re getting your program off the ground, you’ll need to think about what the most critical needs are for getting started and growing. What are those things? Can you get those things on your own? If not, who would you go to? Those are the first people you need to get Buy-in from. You can use this same line of questioning all the way through your program to figure out who you need to involve next.
An example of something you’ll need Buy-in for is your first assessment. We refer to this as your Baseline and it’s covered below as the second item in our list of the 3 top things to focus on.
When you’re planning out your program, you’ll need to know where to prioritize your efforts. The only way to know where to focus first is by knowing the state of what’s working and what’s not, or what exists and what doesn’t.
We refer to this process as establishing your Baseline. Essentially, what you’re doing here is conducting your first assessment. You can judge the results as good or bad, but the better thing to do is just take them as a starting point. Look at the data from the assessment, rank each category with a score related to how high/low the risk is for your company and then start working on a plan for remediations and improvements.
Sometimes, this process of establishing a Baseline is easier said than done. For example, there are a ton of assessment frameworks out there. Not all of them will apply to your business. With some of them, you won't even need to use all the questions, only some of them. There are online forums and guides that go through this, but the truth is, there’s so much information out there, it can be a little daunting. We routinely help our customers with answering these types of questions. We’ll also cover this in the live AMA so make sure to tune in.
The third most important area you’ll want to focus time on when building your risk management program is establishing a budget for running the program.
Admittedly, there is a bit of a “chicken and egg” situation here. Most likely, in order to run your first assessment, you will need an amount of funds allocated so you're able to run the assessment and get your baseline results. Those Baseline results are what you’ll need to determine what your budget will be going forward.
Hopefully, since you’ve been hired to run this program, there is some understanding that you’ll need some funds to assess the situation. For this article, we’re going to go off that assumption and we’ll focus on determining what your operational budget should be. If this is not the case for you (no budget at all, even for a first assessment), join the live AMA and we’ll discuss this scenario.
Ok. So, you’ve done your first assessment and have your baseline results. You have a good understanding of where the risks are and what controls are needed. The first step in figuring out what your budget should be going forward is to prioritize the areas that need attention.
How do you figure out which areas need attention first? Start with what’s most important to the business. Your company may have a Chief Information Security Officer (CISO) that has given strategy to make prioritization decisions simple. If not, find out if your company needs to maintain certain compliance requirements for clients and/or regulatory organizations. If this is a requirement for your business, this is the place to start, because if you’re not in compliance, you’re out of business.
Review the areas where a new control is needed or where a control needs to be updated in order to maintain compliance. Here are the big areas to think through to establish your budget:
Think about how long each of those missing control areas will take to complete a remediation (the process of satisfying the control requirement). Think about who will need to be involved (add them to your Buy-In list) and how much of their time will be needed (internal teams as well as vendors/suppliers). Think about any hardware, software, or other materials that need to be purchased to put the control in place.
Think about managing all of these efforts over the time it will take to meet compliance. You'll need software to have everyone collaborating in one place, storing documents in a single repository, tracking the process of each initiative, and then turn it all into progress reports and ultimately into compliance reports. Ideally, this would be the same software you use to run assessments in the first place.
Need help with a scenario that doesn’t quite fit in the compliance-based approach above? Join us July 8 for the live AMA. We may have mentioned it a time or two above. ;)
These three items for building your risk management program are going to take you some time. Don’t rush, be thorough. There is a lot of ground here to cover but if you take it one small step at a time, you’ll get there.
At SecurityGate.io we’re always happy to help with suggestions and guidance – take us up on the offer and chat with us any time at www.securitygate.io. Don’t forget to register for our quick Ask Me Anything event here. We’ll be looking forward to discussing more with you on July 8.