As we continue our return to normal business operations in the banking industry, we're urging our clients as well as all financial institutions to try to get back to being proactive about their information security, and cybersecurity program.
It's really easy, in a reactionary world, to let your cybersecurity program sit on the sidelines gathering dust.
Of course, you’ve been taking care of any urgent matters that have come up, like an incident or indicators of compromise. But, as we've talked about in the past, a good information security program is proactive, not reactive.
One of the ways to get things moving again in a more proactive way is to think about your information security strategy. This is something that should be getting looked at once a year anyway, and it seems like a good time to pull that out and update it based on the changes that we've seen over the last 90 days.
So here are five tips to help you make that process a little easier and a little more effective.
#1 Begin with the end in mind
It's really hard to steer the ship if you don't know where you're going. If you don't set a desired state for your information security program, you'll never get there. So, when laying out your information security strategy, it's best to start with what you want your overall program to look like in the next two to three years.
Some things to think about would be:
- your policies
- your governance structure
- your risk management framework
- incident response capabilities, etc.
Or to get a high level picture, you could use our CySPOT Health Index™ to gauge where you're at, vs. where you could be.
#2 Align with your IT strategy
Think about the technologies that you'll be rolling out in the next 12 to 18 months. As COVID-19 changed your overall IT strategy, are there some technologies that you need to be thinking about that weren't on your radar in February?
This might be an exercise you need to go through from an IT perspective before you start on the information security strategy.
If you need some ideas for that, you can take a look at 12 technologies for the post pandemic landscape.
Once you’ve established IT strategy, you can begin to ask the important question: “Is your information security program capable of keeping up with IT?”
Make sure the 2 align with one another.
#3 Get good at the basics
It's kind of like Maslow’s Hierarchy of Needs: you can’t focus on higher needs until the basic are covered (like food, air, shelter). Make sure your cybersecurity program covers the blocking and tackling before you start looking for trick plays.
That can definitely be a challenge in a world where vendors are screaming at you that their latest tool is the end-all-be-all to “keep you safe”. As tempting as it is, we often find that filling the gaps in the essentials of cybersecurity has a bigger and more lasting impact.
My colleague, Brian Petzold, wrote a blog post on this about 18 months ago. He points out that remediation efforts may be your best strategy for the time being. Some areas to look at to get ideas include:
- outstanding action items from your risk assessment
- outstanding findings from audits or exams
- remaining statements from the CAT tool to get to the proper maturity level
If you’re missing essential pieces, they need to be the first stop on your roadmap.
#4 Communicate the strategy to your team
One of my favorite authors, Patrick Lencioni, says that two of the four key responsibilities of a leader are to set the strategy and to over-communicate the strategy. That concept works in information security too.
Too often, we see situations where an IT strategy, an organizational strategy, or an Information Security Strategy gets put on the shelf and never sees the light of day again for the next 12 months, until it's time to be updated.
What good is a strategy, if your team doesn't even know what it is? How are they supposed to help you execute it, if they can't explain the objectives to someone else?
Make sure your team understands what the priorities are, so everyone can move in the same direction.
#5 Determine if you have the right resources to make it happen
And I'm not talking about tools here: tools, applications, and equipment are easy to come by.
I’m talking about the people. The people are what execute the strategy.
Do you have the right people to make the strategy a reality? If the answer is no, you need to think about adding full time staff, or you need to think about leveraging outsourced relationships.
Some options include:
- Managed IT
- Managed Security Services Provider
- Virtual Chief Information Security Officer
More on those key roles can be found here.
Conclusion
For the last 90 days, we've all had our heads down. We were all just trying to get through a very tough time. But as the dust begins to settle, even just a little, we all need to lift our heads up and start to look forward again.
If you need help with an information security strategy, or have questions about any of the ideas or resources shared in this blog post, please contact us at support@bedelsecurity.com.
Additional Resources:
Reactive or Proactive: What Makes the Best CISO
https://www.bedelsecurity.com/blog/reactive-or-proactive-what-makes-the-best-ciso
CySPOT™ Health Index
https://www.bedelsecurity.com/lp-cyspot-health-index
The 3 Key Roles in Cybersecurity
https://www.bedelsecurity.com/blog/the-3-key-roles-in-cybersecurity
Making Strategic Planning Easy
https://www.bedelsecurity.com/blog/making-strategic-planning-easy
The Top 5 Benefits of a vCISO
https://www.bedelsecurity.com/blog/top-5-benefits-of-a-virtual-ciso