Most mature businesses already have several cybersecurity protections in place. However, the chances are still high that you may be approaching cybersecurity completely backwards, despite covering your bases with multiple cybersecurity controls (e.g. managed firewall, automated patching, Endpoint Detection & Response tools, Security Awareness Training, security policies, etc.).
We aren’t singling you out for this (promise!). Nearly everyone has a backwards approach to cybersecurity. Allow me to explain.
How We Got Things All Mixed Up
Most businesses approach cybersecurity controls as if they are packing supplies for a camping trip. Specific tools that might be needed are brought into the organization piece meal. Blankets for cold nights, rain gear for wet days, that Swiss Army knife that just feels good in your pocket. Of course, it is always good to bring the right gear and be prepared for various outcomes. For nearly every small business, their cybersecurity posture can largely be described as “adding tools to the duffle.”
The issue isn’t so much that the tools might not work as advertised, or that they don’t integrate well together. Yes, both are common issues. We often see a hodgepodge approach to cybersecurity with partially implemented tools that are not living up to their potential. Many underestimate what is required to properly manage most cybersecurity tools to achieve desired results. And integrating tools in a meaningful way is hard, even more so in the highly fractured cybersecurity marketplace with far too many vendors and solutions. But focusing on the tools is working on the problem from the wrong end. Business’ biggest cybersecurity problem has nothing to do with tools and tooling.
The Fundamental Problem
The fundamental problem with nearly every business’ approach to cybersecurity is that the Business Plan does not inform the Cybersecurity Plan. First and foremost, it is far too common that the IT experts implementing cybersecurity protections have no exposure to the Business Plan. Additionally, the parties involved in forming or revising the Business Plan often fail to consider the cybersecurity controls needed to protect the Business Plan as it’s carried out. It can seem like the only working firewall in a business is the one blocking the information flows between the Business Plan and the Cybersecurity Plan!
We have got to address this problem head-on. The fix is straightforward: business leaders need to consult with IT security experts who understand strategy while they put together their plans for their business.
Ideally, a fractional Chief Information Security Officer (also known as a virtual CISO, or vCISO) is in the room when the Business Plan is formed. Alternatively, a vCISO could be asked to review a current Business Plan and provide their guidance on how to protect the execution of the plan from risks and threats.
The Fundamental Solution
If you’ve read this far, you likely recognize you have a problem and would like guidance on how to get started on the solution. Bravo!
First things first, don’t make any changes to your cybersecurity tools or vendor mix just yet. The first thing you should do is verify that there is an existing Business Plan for your organization. If there is one, share it with a vCISO to get their assessment on what kind of cybersecurity posture and controls are necessary to support this plan. If there is not one, then determine if your leaders intend to create one that can set a course for 1-, 3-, and 10-years ahead – and advocate for including a vCISO in the formation of this plan.
The value-add that a vCISO can bring to the formation or refinement of a Business Plan is enormous. There are two foundational tasks that a vCISO will perform early in their engagement: a Risk Assessment and a Business Criticality Assessment.
The Risk Assessment helps you assess how your business would respond to various threats, like a regional disaster, pandemic, or loss of a key customer. Going through this exercise should be an annual ritual in every business, and a vCISO is adept at overseeing this process and capturing meeting takeaways in a manner that’s clarifying to all involved. Every business has risks, and any Business Plan should focus on mitigating risks that have the highest likelihood and impact on the business. Typically, Risk Assessments take anywhere from a half-day to a full workday to complete.
The Business Criticality Assessment produces a shared understanding of how much downtime and data loss your business can tolerate for each core system you have. Naturally, we don’t want any downtime or loss, but everything in a business involves allocating limited resources in a cost-effective way. A vCISO will bring both a process and skill to teasing out the truth about how much downtime tolerance you have, as well as how much data loss you can handle and still survive the workday. Typically, Business Criticality Assessments take somewhere between a few hours and a few days to complete, depending on how complex your organization is.
Integrating Cybersecurity into Business Plans
While there’s so much more that can be done to align business strategy with cybersecurity strategy, we’d take it as a win if all businesses started routinely building their Business Plan with a Risk Assessment and Business Criticality Assessment. If all businesses consulted these assessments, especially when cybersecurity tools were deployed and money was spent, it would lead to a clearer understanding of which risks were being mitigated, and which critical business assets were being protected. Additionally, there would be a much higher likelihood that the resources spent were directly addressing the most impactful and probable threats to the business.
Few businesses will know how to effectively perform these assessments without expert guidance the first time. Also, without a vCISO helping to inform leadership, it’s unlikely that a business will approach cybersecurity in anything other than a piecemeal and reactive manner. This is one of those areas where bringing in an external consultant is not just incredibly impactful, but it’s likely the only way to do this right on a small business budget. Very few businesses can afford a full-time security-focused leader like a Chief Information Security Officer.
Contact Net Friends today and get started with a Risk Assessment and/or a Business Criticality Assessment as part of our vCISO services. We’re eager to help, and we will readily produce results that transform your business for the better.
WHAT TO READ NEXT:
- Mastering MSP Contracts: A Guide to Ensuring Success
- Transferring Risks with Managed Services and Cyber Insurance
At Net Friends, we believe in the power of human expertise. While we leverage AI to enhance our content and processes, all blog posts are written and edited by our knowledgeable staff. You can trust you are getting insights directly from our team.