It’s important for all businesses and organizations to institute and maintain an effective cybersecurity risk management strategy. But many key executives don’t know where to begin. Let’s explore how to get started.
Let’s assume you’re an Owner, C-Suite Executive, or Board Member responsible for the fiscal well-being of your business or organization. You should understand that there’s a huge difference between Information Technology and Information Security, and the two are totally independent but at the same time totally interconnected.
Understand that most IT experts have not undergone the extensive training that would be needed in order to qualify as a cybersecurity expert. Cybersecurity risk management should be left to qualified cybersecurity professionals.
By observing current events and the negative impact of cyber crimes against businesses and organizations across the globe, you are aware of the increasing amount of businesses suffering cyber attacks. Cyber criminals are even using Artificial Intelligence (AI) to circumvent legacy cybersecurity protections.
To your credit, you’ve decided that it’s time to do something to mitigate the risks to your business or organization.
So how do you get started?
Talk to your peers.
You’re most likely a member of various peer groups with other people who are in the same boat. Ask them how they’ve approached this topic.
- Have they started a cybersecurity risk management program?
- If so, who did (do) they use?
- Are they happy with the results?
- How do they know they’re secure?
- What did (does) it cost them?
- Was there any “IT Noise” (disruptions, unintended consequences) while going through the process?
- If so – how long did this last?
- Would they recommend this firm?
- And, any other questions you may think to ask.
Seek out professionally trained Cybersecurity Experts to guide you. Look for certifications like CISSP, CISA, and CISM. If they don’t have them – that’s a red flag. Ask to see credentials and make sure to speak to references.
Meet with multiple firms to evaluate their offerings. Are they professional? Does their “approach” fit with how you do business? Can you see yourself working with them? Are they willing to work with your current IT team/firm? Do you trust them?
Here are some key questions to ask:
- What Cybersecurity Certifications does your team hold? (Don’t take their word for it – ask for evidence.)
- How do they stay on top of the latest developments in cybersecurity?
- Are they “A Players"?
- Which Cybersecurity Framework will they be using to design a cybersecurity risk management strategy for you? (For example - NIST CSF, CIS Controls – or a combination of the two? You don’t need to understand the framework; you just want to know if they use one.)
- How long does your Onboarding process take? (It should be extensive and detailed, and they should be willing to provide specifics.)
- Will they perform 3rd party vulnerability assessments? Penetration testing? (This should be part of the onboarding process and performed regularly afterward. Again, you don’t care how they do it; you just want to make sure that they do it – before making any changes.)
- Will the risk management strategy they design satisfy any specific Compliance requirements, such as CMMC, HIPAA, PCI, or Cyber Liability Insurance (CLI)?
- Will they create an Incident Response Plan? Disaster Recovery Plan? If so, will there be tabletop exercises to test the plan(s)? (It should be yes to all three.)
- Can they provide references of businesses or organizations that are of similar size and nature for you to contact? (There should be a list to choose from.)
Get a Mutual Non-Disclosure Agreement
Any top-shelf provider in cybersecurity has developed proprietary processes based on years of hard-earned experience. They constantly research and have also developed carefully curated multi-layered “stacks” of state-of-the-art cybersecurity tools that will be used to produce the results that you seek. (If they do not/have not – that’s a red flag.)
These processes and tools will cost them considerable time and expense (both past and ongoing). They are usually (should be) carefully guarded.
They should be able to clearly, and succinctly elaborate on what sets them apart from all other vendors. Expect them to be excited to tell you all about it - not a sales pitch but a deep belief and confidence in their abilities and the results they’ll produce. (If not, that’s a red flag.)
Asking for a Mutual Non-Disclosure Agreement shows that you value their uniqueness and professionalism. This simple sign of respect will go a long way in establishing a mutually beneficial long-term business relationship if you choose them. And it establishes trust – which you’ll both need.
Your IT Team/Current Provider
Your IT team or current IT provider may be part of the evaluation, but the person(s) ultimately responsible for the well-being of the company (Owner/C-Suite) should take the lead. IT professionals may feel threatened by Cybersecurity Experts and often obfuscate the selection process to protect their turf.
If so, they’ll act like interrogators, demanding to know the specific tools that will be used. (That’s a sure sign of their limited knowledge in this area.) This is an attempt to show that they know as much (or more) than the security professionals. It’s not uncommon for them to feign superiority, contradict what’s being said, and sabotage the selection process.
Don’t be surprised if this happens; it’s human nature. If that’s the case, better to leave them out of the conversations. If the converse is true, and your IT team or provider defers to the cybersecurity experts, consider yourself fortunate, and by all means, make them part of the selection process.
On the other hand, Owners and C-Level executives cannot be expected to understand the technical aspects of effective cybersecurity risk management. But they are expected to understand Process and Outcomes – both of which any prospective cybersecurity risk management provider should be able to explain clearly.
It’s not important to understand the specific tools and the details of the processes they’ll use to implement your cybersecurity risk management strategy. As technology changes, tools and processes will change too. In some respects, the specific tools and processes do not matter. What’s more important is:
How they’re going to use those tools and processes to get you from where you are now (unprotected, vulnerable) to where you want to be (protected, risk minimized).
The specific Results that you can expect their tools and processes to produce.
At the end of the day, this is not a technology discussion; it’s a business impact: goals and objectives discussion.
How much is this going to cost?
Price is always a consideration, but it should not be the main consideration. State-of-the-art cybersecurity tools are expensive. Professionally trained cybersecurity experts are expensive. You want the firm you select to always invest in expertise — both tools and talent. You want them to always be ahead of the cyber criminals, and at the top of their game — A Players.
Do not make the mistake of buying based on the lowest cost. You’ll get what you pay for, which may end up meaning financial ruin. Regarding cybersecurity, there’s no such thing as “that’s close enough.” You can’t secure some areas and leave others vulnerable to attack. Any vulnerability is an open door to cyber criminals. (Read that last line again, and let it sink in.)
It’s going to cost – what it costs. And that may hurt. It’ll cost much less than recovering from a cyber attack. Don’t believe it? Take a few moments and Google “average cost of a cyber attack.”
You’ve made your selection.
When you’ve made your selection, work closely with your new provider. There should be scheduled Quarterly Business Reviews. Make sure you’re getting regular reports that detail areas of progress and areas of concern.
These QBRs should be business discussions that detail mitigation efforts and evaluations of each risk as to past condition, present state, and future state. There should be detailed results as to the business impact of those efforts.
Work closely with your provider. They’re a true partner and should be singularly and unremittingly focused on your success.
Lastly, keep the following in mind: This is not a one-and-done exercise. Embrace the cultural shift that will necessarily take place to transform your business or organization into a low-risk entity. Your stakeholders, shareholders, employees, customers, and vendors will thank you for it.
Do not let your lack of IT technical expertise hold you back. Implementing a cybersecurity risk management solution is ultimately a business exercise, not a technical exercise.
Do your homework. Choose a professional firm that projects confidence in the results that they’ll produce for your organization or business. Then hold them to high standards and keep them accountable to produce documented evidence that you’re moving in the right direction.