Is it risk reduction? Training employees? Fighting back against targeted attacks?
The easy answer to this question is to build a comprehensive and mature Security Program. The difficult part is identifying every critical component that make this a success. Remembering that any security program is only as strong as the weakest link, you must build layers of security that act as both active barriers and safety nets that complement each other. Five of these components are listed below:
- Executive Support – All programs are doomed to fail without the full support and financial backing at the highest level. Be sure to define and clearly explain what is considered to be Best Practice and how this directly affects the business.
- Experience – While training and security awareness is valuable, there is no substitute for experience. Bring in at least one expert who has real hands on experience to guide and mentor the team.
- Plan – Build a detailed three-year plan. Use this for communication, financial and project planning, but most importantly, this can help you measure progress and eventual “success.”
- Align to a Security Framework – Choose between one of the leading frameworks such as ISO, NIST, or equivalent. These frameworks not only define specific controls that must be in place for any program, but also help to measure the effectiveness of your program.
- Test – Now that you have the core security components in place, have the network layer scanned, as well as the application layer with both static and dynamic scans. This is not a one-time event as new vulnerabilities are created and altered every single day. Again, this is an excellent measure of success that can be used to provide specific evidence for the executive team, which in turn, will be needed to maintain and enhance your successful cyber security program.