“If you don’t know where you’re going any road will get you there.”
This well-worn adage certainly applies the current state of corporate cybersecurity, which remains an amalgam of good-intentions with limited planning and execution. The risk, of course, is not knowing when you are the next target. And concurrent with the increasing likelihood of an adverse event is the rising cost of insurance coverage – standalone cyber premiums grew 8% from 2016-2017 while total U.S. cyber premiums hit $1.84 billion in 2017, a 37% increase over 2016 (source: Aon).
So, how do you know when you have yourself prepared for the ever-expanding world of electronic malevolence? (Please note use of the word “prepared,” not ‘protected,” a state of readiness apparently no longer attainable to any entity, however seemingly secure. See NSA, DOD, Chase, White House, etc.)
Not surprisingly, a good place to start is with an inventory, a Cybersecurity Assessment of where you are today. This is your baseline for where you need to go. Done correctly, the assessment can point the way toward a meaningful adjustment of all facets of the organization impacted by a potential cyber threat. It will inherently close the gaps revealed in your current state of cyber risk and security.
The first consideration is the scope of the assessment. Where do you draw the line of concern? It is impossible to know the exact degree to which certain aspects of potential concern present risk. Issues such as mobile devices, work-at-home equipment, cloud services, third party suppliers, retired/discarded electronic devices, etc. all warrant inclusion in the preliminary list. A deeper dive into the specifics around each exposure will winnow down and prioritize the urgency and importance each is assigned.
The second step is to define a Target State, the level of readiness and vigilance you seek to attain for the organization. Once documented, you will then be able identify the gaps between the current state of security and your intended security goals. Without a detailed understanding of your Current State afforded by the assessment you will not have the information necessary to develop a rational gap closure plan.
The final and essential step toward meaningful cybersecurity risk management is buy-in and support from the executive management team. It is they who will allocate resources to the effort so it is critical they understand the risk exposures revealed by the assessment. The diversity and complexity of expanding organizations through third party partnerships, shared technology resources and flexible workforce strategies challenge authority and simple lines of control. The result is the creation of new vulnerabilities and the extension of existing ones. Management must understand the ubiquity of the technologic threat posed in the modern world and respond appropriately.
In summation, proper and effective cyber risk management is fueled by accurate and current information. The assessment is a foundational tool to begin the process. The information gleaned from the effort will inform all stakeholders in the enterprise and show a path forward toward greater preparation against unseen threats in an increasingly more hostile environment.
To get started with your cybersecurity assessment, download comprehensive guidance from NIST (National Institute of Standards and Technology).
For further reading on this topic: