Does your business have a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) who’s in charge of your cybersecurity budget? Most small and medium-sized businesses do not. So it’s usually up to the CEO or CFO. And while they may be brilliant at their jobs, keeping up with IT may not be their top priority. So what’s a company to do?
Follow these six steps! Your company will be able to make smart, informed, appropriate cybersecurity decisions even if you don’t have a CIO:
1. Choose an established set of standards to follow.
Cybersecurity standards are sets of guidelines developed to prevent or mitigate cybersecurity attacks. Plenty of organizations have developed standards — here’s a list from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Pick standards that are the best match for your industry and your needs and then move your business towards this standard so you’re in a better security position. The homework has already been done for you — no expertise required! The most popular are NIST and ISO. If you don’t know which standards to choose, ask a trusted IT adviser or vendor.
• Use our Cybersecurity Partner Interview Guide to find the right security partner for your company.
• Is your IT budget ready for 2020? Our IT Budgeting Guide for 2020 can help – download here.
2. Inform your vendors about your chosen standards and ask them to bring you up to speed.
Let’s say you’ve chosen to go with ISO 27001. Once your vendors know you’re following ISO 27001, they know where you’ve set the bar and what they need to do to meet it. There may be some cost involved to complete this step, but maybe not.
3. Hire a third party to perform a gap (or risk) analysis.
Now that your vendors have done what they can to comply with your standards, hire a company that specializes in finding the cybersecurity gaps between where you are now and where you need to be. Examples include Secureworks, McGladrey and PKM. Pricing depends on the size of your company and network, typically starting at around $5,000 for a small company. The report you receive will list found gaps by priority, such as critical gaps, minor gaps and gaps that should be addressed at some point.
4. Fix what you can within your budget.
Security readiness doesn’t have to be a budget-buster. About 50-70% of what you need to do to fill the gaps will probably be operational. This means you can fix most of what’s wrong by doing a better job with what you already have, such as providing better employee training and improving processes and controls. The other 30-50% of your existing gaps can be solved with tools or services that actively look for incidents. Don’t try to do this part yourself. It’s easy to overspend on solutions you don’t really need and miss the ones you do. Seek advice from a trusted IT adviser.
5. Insure any unacceptable remaining risks.
What can you not afford to lose? Insure that.
6. Maintain what you’ve built!
It’s critical that you keep monitoring, logging, patching and training your team on the latest threats. Managing your cybersecurity is a lot like managing your health. You can’t exercise for a week and expect to stay in shape. It’s an ongoing thing.
And as your company grows, you’ll want to re-evaluate your security posture. Growing companies typically need to customize their IT environments and, based on the customization and their evolving needs, update what they’re insuring as well. Picking a standard and sticking to it will get most growing companies 80% of the way there, and for fine-tuning and advice about smart spending when it comes to IT investments, keep your trusted IT advisor handy.
Leapfrog is a cybersecurity advisor for growing companies — we’ve helped clients grow from near startups to having offices around the country — and we also provide part-time resources to do customization. Since we manage IT for hundreds of organizations, our first-hand knowledge of what’s most effective when it comes to choosing and applying standards — to protect against both external and internal intrusions — can be especially useful for companies that don’t have a full-time CIO or CISO. Please feel free to contact us with questions about standards, gap analyses, insuring IT risks and other cybersecurity management issues regarding your specific industry and budget.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.