10 Organizational Cybersecurity Imperatives
In recent years, the Center for Digital Strategies has been fortunate to observe and interact with the efforts of a number of large companies as they wrestle with the challenges of cyber/information security today. These challenges are mounting, not just because of the number, weight and sophistication of bad actors, but also because of the explosion of the consumerization of information technology, the proliferation of connected devices and the current digital transformation efforts of many companies.
Here are ten lessons for management that we’ve learned in watching these talented people and organizations address the trials of defending their data, people and organizations:
- Accept that it’s not “if”, but “when”—long gone are the days when being secure was possible and a good wall was mostly sufficient to avoid a breach;
- Embrace “deter, detect, respond, remediate”—a defense in depth, sequential approach that involves robust intelligence, monitoring and response capabilities;
- Adopt a combat mentality—most organizations should have a security operations center (SOC) that knows what “normal” looks like, an organized incident response team and regular exercise scenarios that engage senior management;
- Know, identify and prepare—too many organizations don’t understand what assets they are protecting—understand your people, know your crown jewels of information, inventory your software and hardware assets and tie it all to physical security;
- Understand that human behavior is the key ingredient to a successful information security effort—awareness, vigilance, training and ongoing dialogue are vital;
- Recognize that compliance ≠ security—frameworks like NIST and ISO27001 are a good starting point but compliance can be a distraction if you are not careful;
- Assess and measure the things that actually matter—and get a look from outside your organization periodically;
- Share, collaborate and keep learning—with your value chain, industry groups (e.g. ISACs), law enforcement and national/multinational CERTs;
- Strike the right balance for your business—information security is about managing risk and reward—so find the right balance for your business (or there will be no business) and tie your efforts to overall risk management;
- Information security is not an “IT thing”—set the example from the top—engaged and visible commitment from senior leadership is vital.
These efforts will not ensure your security…but lack of them means you are not taking the steps to appropriately protect your enterprise and almost assuredly guarantee you will suffer an information loss or more severe (than need be) consequences of an attack.
Hans Brechbühl is the Executive Director of the Center for Digital Strategies (CDS) and an adjunct associate professor at the Tuck School of Business at Dartmouth. CDS focuses on the enabling role of digital technologies in business strategy and innovation. Our mission is to advance the theory and practice of management in a digital, networked economy and to link practitioners and scholars in ways that build economic value.