5 Steps to Upleveling Your Cybersecurity Program
Hello everyone. Welcome to the first blog on our new website! I'm Rock Lambros, the CEO & Founder of RockCyber. I founded RockCyber in 2018 because we have a massive problem in cybersecurity. We are going into the third decade of the 2000s, and we still largely SUCK at partnering with the business. Tactically, cybersecurity is still seen as "the department of no." Strategically, we bore company leadership to sleep with metrics like "how many attacks did the firewall block this quarter," or "how many critical versus low vulnerabilities are within the environment month over month." While these metrics might be great operationally, they do little to garner support across the organization. Most of all, they fail to garner trust that you can see above the trees as THE cybersecurity leader your organization needs.
How do I know this? Let's ask corporate boards of directors. I belong to the National Association of Corporate Directors (NACD). According to the NACD, less than half of organizations believe their board and executive management have a sufficient understanding of cybersecurity to evaluate security controls fully. When public company directors were asked to rank the quality of the information provided by senior management, cybersecurity was rated the LOWEST.
Meanwhile, over 65% of Chief Information Security Officers now report to their boards at least two to four times each year, and their audience is increasingly the full board rather than a separate subcommittee. This problem does not only affect public organizations. It affects privately held organizations as well.
Simultaneously, as security leaders, we struggle to fight a continually changing technology and threat landscape with limited budgets and resources. Even if budget and resources weren't limited, we still couldn't secure ALL the things, so where do we start? First, we have to change the notion that we are merely technology leaders. Cybersecurity leaders HAVE to be business leaders...the leaders that people WANT to turn to help solve problems and ENABLE strategy, and not be the group that is only there to get in the way or check some compliance checkboxes. In the cyber-physical world, where operational technologies or Internet of Things technologies are involved, cybersecurity can very often equate to safety, so ensuring YOUR cybersecurity programs have the support, trust, and resources they need becomes even more critical.
RockCyber helps organizations with cyber-physical processes decrease their risk to safety and revenue through a curated program that: baselines the capabilities of their current cybersecurity programs, triages potential cybersecurity problems in terms of business risk, appropriately secures and allocates budget, guards digital and physical processes, and measures the effectiveness of cybersecurity investments.
RockCyber has worked with many companies, and we have come up with our unique process based on our experiences across many different industries. We've done so by implementing a process we call the "5 Steps to Upleveling Your Cybersecurity Program",
The five steps are:
Discover
Assess
Recommend
Execute
Optimize
Allow me to offer an example of how we applied our process through a client case study.
We have one client that services the energy sector. New CIO, mostly new company leadership, and they had no formal cybersecurity program to speak of. Frankly, sensitive information was leaving the company like water over Niagara Falls. More importantly, they didn't understand why it was bad to have control systems connected directly to the Internet (in case you are wondering, it's bad). The new CIO brought RockCyber in to help. Really, where do you begin in a situation like this? If you thought to yourself, "a risk assessment", well you would be right...sort of. We baselined cybersecurity capability across multiple business units, even though there wasn't a formal, centralized program. "5 Steps to Upleveling Your Cybersecurity Program" to tackle this challenge.
In the Discover step, we zero in on areas where a cybersecurity incident would have the most significant impact on your organization's safety or revenue. You may consider this as a "common-sense business impact analysis," taking into account any formal business impact analysis you may have already conducted. This process brought clarity to business units where we should focus our efforts. It also highlighted areas where our client didn't focus because of resource constraints, budget, in some cases, even corporate politics, and so on. As the unbiased outsider, we were able to bring these areas into our efforts.
Taking into consideration, all of the above gave us a good sense of where to focus during the next step: Assess
Here, we conduct a comprehensive evaluation of your security program. This is not your traditional risk assessment where you pay an expensive consultant to come in, ask questions, drop a report off, and leave. Because of decades of our experience as actual security practitioners (which is a nice way of saying, NOT CONSULTANTS), we can dig deep into a variety of areas and capabilities of your cybersecurity program. We use a Software-as-a-Service platform to store your results that you can access whenever you want. The benefit is that this establishes a baseline of your cybersecurity program's capability that you can continuously measure against while gaining greater visibility and accountability across business units. It's amazing what "gamification" does for a security program when leaders know they are being compared against their peers in other business units. For our client, this meant seeing glaring gaps in capabilities for the first time, along with over-investment and significant under-investment in the areas we consider the greatest impact on safety and revenue that we identified in the Discover step.
In the third step, Recommend, we distill all of the information we have learned and curate a "right-sized" 18-24 month roadmap with cybersecurity investment recommendations, prioritized by the most significant risk to safety and revenue. This roadmap is not just a project item on the Gantt chart. Each item includes references to a framework, such as the NIST Cybersecurity Framework, but we also build a business case by defining the desired:
Value and outcomes,
Key activities,
Key dependencies,
Cost factors, and finally, an
Estimated timeline to implement in your environment.
We do not just focus on technology like some larger organizations looking to sell you a product. The roadmap will include efforts to improve upon people, process, AND technology. Remember how I told you that this client didn't understand why it was bad to have control systems connected directly to the Internet? Well, you can bet that issue and overall network segmentation were towards the top of the list, but before we came in, IT couldn't even get a conversation with the operations folks who managed those control systems. We used the CIO's opportunity to play the "new guy" card to learn more about their environment and the processes they controlled. We also used the opportunity to advocate improved bandwidth capacity at some of their facilities that significantly improved network performance, and subsequently, system performance. We made instant friends.
The fourth step is Execute.
We had to get the funding from the board, and we did, for most of the items in the roadmap. Everything is a negotiation, right? Alongside the CIO, we presented our case to the board, in terms they could digest…which, by the way, DOES NOT include talking about how the latest zero-day attack can embed itself into the control system firmware to do nefarious things. Because we could speak in terms of risk to the business AND show that we had the support of every business unit, we received funding and resources to allow the CIO to start executing on the roadmap.
Finally, the fifth step: Optimize.
Since we store the assessment results in a Software-as-a-Service platform, we can
Measure and track the progress of cybersecurity investments and initiatives over time,
Measure the effectiveness of the investment in those initiatives,
Adjust budget and resource allocations quickly, and lastly,
Better communicate cybersecurity program maturity and risk reduction to the C-Suite and the to the board.
This provides a feedback loop into the Discover step of your next assessment. For our client, leveraging our methodology resulted in an exponential growth in their cybersecurity capabilities from a people, process, and technology perspective. It also provided a method for continuous improvement, fostered better partnerships across IT and other business units, particularly operations, and it ingrained a culture of security across the organization.
Now…imagine RockCyber using this methodology to help you achieve these results.
As I mentioned earlier, we've worked with many companies to hone our approach, leveraging the lessons we have learned to maximize results for your company.
We WILL identify gaps and risks and develop a detailed, prioritized roadmap of mitigation activities that will get YOU the ear of your leadership.
We WILL develop a baseline understanding of your cybersecurity program's capabilities that is measurable and that you can trend over time.
Our process will help YOU secure budget and resources, and a method to track the effectiveness of those investments over time.
Go from being viewed as the "Department of NO" to the "Department of HOW".
Curious to learn more?
As you and I both know, actions speak louder than words, ESPECIALLY in cybersecurity.
Take action! Let's get laser-focused on leveling up your cybersecurity program. Click here to book a complimentary 30-min "whiteboarding session.” I, personally, conduct these whiteboarding sessions, so availability is scarce and on a first-come-first-served basis. So, please, go ahead and the link below. Thank you SO much for your time today! I look forward to meeting helping you level up YOUR cybersecurity program with RockCyber.