The Do’s and Don’ts of Building a Cybersecurity Program

Do you have a security program that needs beefing up? Or are you involved in a startup that’s still in the planning stages of information and cybersecurity? Either way, it may not be clear what is needed and where to start. 

Information security is essential for any business these days. If information is leaked or stolen, the consequences can be dire. Large amounts of revenue may be lost and the damage to brand reputation may be irreparable. The stakes couldn’t be higher - all businesses need a robust security program in place.

This short guide will give you some pointers on the do’s and don’ts of building an effective security program.

Do: Set out your objectives
It’s important to begin with setting out your objectives clearly. They will become the foundation of your security system. Without this, the system could either be too big and unwieldy, or too small and ineffective. 

Firstly, you need to identify the type of business you’re involved in. The objectives will differ according to the maturity and size of your business. A lean startup will probably have a higher risk tolerance than a mature company where tolerance will be much lower. 

Setting the right objectives early on will allow you to implement the correct controls to begin with.

Do: Check out existing cybersecurity frameworks
There’s no need to reinvent the wheel with your own list of security controls. Use a framework such as CIS20 or the ISF Standard of Good Practice for Information Security which provides lists of security controls to put in place. This can form the backbone of your security program, then you can tailor it to suit your business requirements.

Do: Define a security strategy
Don’t go in blind. First you need to answer some fundamental questions about your company:

  • What’s your mission? 
  • What’s your product? 
  • Who’s running the company? 
  • How agile is your business?
  • How does this all fit in with cybersecurity concerns? 

Once you’ve answered these questions you’ll get a good idea of the detailed security needs and can begin to set out a strategy and company-wide approach to cybersecurity. The CISO will probably need to create a roadmap for the CEO.

To do this, they’ll need to understand what’s important to the CEO and the business. What does the CEO value the most? When it comes to the hard choices about what to protect - make sure you protect what the CEO values first.

Don’t: Spend millions on a security “solution”
A common mistake that medium to large sized companies make is spending millions implementing an “out-of-the-box” security solution that really isn’t suitable for their business. 

Spending millions on a security program can really slow down your business if you don’t get it right. The most important thing is to set out a strategy that suits your business and objectives and the rest will follow.

Don’t: Neglect regulatory requirements
You need to create a security program that fits your cybersecurity profile, but you also need to be mindful of regulatory requirements. Try to strike a balance between the two. 

On top of any regulatory requirements, you may want to hold a senior management workshop on critical business activities and accompanying cyber threats. This will make sure that the program is tailored to your business.

Don’t: Overcomplicate the program
The CISO of a company needs to ensure that the program gets buy-in from the top brass. Therefore, it’s crucial not to muddy the waters by overcomplicating communication. Keep things simple and in a language that senior executives will understand.

In other words, don’t be overly technical. If you’re talking to a CEO about a budget, don’t talk about the specifics of the latest hacks and security threats. Frame it in a way that explains the consequences. Make sure they understand the risks to the business. 

It’s acceptable to use stats to back up your points and to give your requests more weight, but don’t overdo it. Most managers aren’t that interested in the minutiae of vulnerability stats. They’d much rather hear about the effects on the bottom line.

Summary
The most important things to do when setting up a new information security program are set out your objectives and a clear strategy, then use existing frameworks as building blocks. Make sure that you cover both regulatory requirements and the needs of the business.

Raise cyber awareness across the company by framing things in a way that people understand. You want people to view cybersecurity staff as partners in the business. Security is a team effort, so aim to get buy-in right from the beginning.

Also, avoid spending lots of cash initially, as it could be money down the drain. Be pragmatic and resourceful instead. If you’re a startup or in the early years of business growth, you’re likely to be on a restricted budget. Use your limited resources to pinpoint the areas to control, then build a strategy around that. Don’t waste money by just throwing tech solutions at cybersecurity and expecting the problem to go away.

What’s Hot on Infosecurity Magazine?