5 steps for a scalable cybersecurity program

by Anthony Hargreaves

With our rising dependence on technology and organizations managing an abundance of business and personal data, having a robust cybersecurity program has never been more critical. Threats such as fileless malware attacks, cybercriminals using artificial intelligence (AI) for realistic phishing emails, cryptocurrency attacks and Internet of Things (IoT) vulnerabilities are all expected to increase.

Your cybersecurity plan should protect your assets, adapt to changes in the cyber landscape and provide a process for restoring operations if an incident occurs. There are many frameworks available to guide management and staff on the mechanics of a cybersecurity program, but how do you get started?

Here are five steps to creating a scalable cybersecurity program.

1.  Identify and communicate what needs to be protected

Start by identifying and defining your organization’s critical infrastructure and data assets. In addition to digital and paper financial information, remember to include physical elements such as manufacturing equipment, employee medical records, corporate brand assets and people assets. Make sure you include the life cycle of those assets as well: How they’re created, purchased, stored, sold, modified, maintained, transmitted and purged.

A detailed network diagram, which can cross-reference both the network boundaries of the IT environment and a data classification policy, is essential to this step. You should also be able to communicate what assets are important, where they’re located and who is responsible for them. Share with your staff key policies such as your IT Security Policy, Acceptable Use and Code of Ethics/Conduct. You’ll also want to conduct security awareness training and onboarding for your staff. Make sure your staff is aware of communication channels such as incident response handling procedures, emails, phone numbers and appropriate escalation paths.

2.  Assess and classify roles

Evaluate your organization’s current state of data protection. Identify key vulnerabilities, legacy systems, access points and the flow of data in and out of the organization. Create a hardware and software inventory listing that maps to your network diagram and data classification.

Next, review and classify access to these critical data assets via role-based security measures. Ensure these reviews are conducted in a manner that provides auditable and sustainable evidence of the review and management signoff. Include third-party vendors and external forces that access the network.

Performing a cybersecurity risk assessment with a cross section of staff across your organization will provide valuable insights. If you ask a facilities manager, a network engineer and a finance controller what they consider to be a cyber threat, they’ll give you varying answers. Asking them to come up with a common definition will act as further education and improved IT security awareness, and will help you create a risk register of known and potential threats.

3.  Develop and prioritize processes

The next step is to prioritize the action items you’ve identified to address cybersecurity vulnerabilities. Prioritize these items based on your organization’s available resources and appetite for risk. For example, a treatment plan for patch management may be prioritized more than a HR issue… unless that HR issue is to hire an IT Director with heavy patch-release experience.

A key tip is to estimate the cost for each remediation step and then create a timeline. Communicating this information to finance and management will help start the process of operationalizing your remediation steps. Your organization can begin being proactive instead of reactive to risk.

4.  Respond & Enforce

With a common framework in place, your organization can begin enforcing established policies and procedures for security. Make sure to track issues that arise and other key metrics, and report those up to the board.

5.  Continuously learn and evolve

You don’t ever want a cyber threat to repeat itself, so the ability to learn from historical data and adapt your risk management strategy is key.

You’ll also want to keep up-to-date on cybersecurity trends and threats so you are prepared for anything that could come your way. The AICPA's Cybersecurity Resource Center is a great place to start.

Hear more from Anthony on cybersecurity in this archived Facebook Live interview.