Six Steps To Help Leaders Achieve A Good Standard Of Cybersecurity
Steve Durbin, ISF CEO, Featured in Forbes

Six Steps To Help Leaders Achieve A Good Standard Of Cybersecurity

As businesses automate operations and interact digitally with employees, customers, partners and suppliers, the threat of cyberattacks and breaches becomes deeply concerning. Unfortunately, 85% of businesses still lack an adequate level of cyber readiness.

Here are six best practices to help businesses boost their cybersecurity standards and defenses:

1. Adopt a ready-made framework of security controls.

Leveraging security governance frameworks like the NIST SP 800-53B, the ISO/IEC 27002:2022 or the ISF SOGP, developed by my nonprofit association, enables organizations to identify the various types and levels of risks, map out existing controls and processes, determine risk tolerance, and provide assurance to stakeholders that information risks are being adequately addressed.

Moreover, these frameworks provide extensive coverage and advice on a broad range of security topics, such as security strategy, threat intelligence, incident management, crisis management, business continuity and cyber resilience, which can help organizations improve defenses against a broad range of threats while aligning security strategy with business strategy.

2. Assess information risk and deliver comprehensive, consistent protection.

Information risk assessments should be performed for target environments (e.g., critical business environments, processes and applications), including those under development. Supporting technical infrastructure on a regular basis helps organizations gain deeper insight and understanding of their environment as well as their own risk and security posture.

It is advisable to perform a risk assessment when undertaking major business changes such as new ventures, business systems transformation projects, mergers and acquisitions, introducing new technologies such as Internet of Things (IoT), Near Field Communication (NFC) or software-defined networking (SDN)) or permitting access to the organization’s business applications and systems by third parties and remote employees.

3. Manage supply chains with a risk‑based approach to information security.

Supply chain attacks have tripled in the last twelve months and it’s a vector that’s increasingly used by cybercriminals to infiltrate organizations. It’s important that information risks are assessed, identified and managed effectively throughout all stages of the relationship with external suppliers. Supplier reviews should cover a wide range of suppliers, particularly those that provide hardware (endpoint and mobile devices), software (operating systems, business applications and security solutions), network devices (routers, switches and firewalls), specialist equipment (heating, ventilation and air conditioning), physical access control and surveillance and self-service terminals, office equipment, cloud services (Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service), utilities (electricity, gas and water), and outsourced arrangements (call centers, data processors and cleaning services).

4. Ensure regulatory compliance efficiently and proactively.

Laws and regulations surrounding data privacy, information security and disclosure are increasingly being updated and enforced. Organizations that fail to comply with these mandates may face hefty penalties and suffer irreversible reputational damage. Security controls must be consistently prioritized and addressed in accordance with cybersecurity obligations associated with legislations, regulations, contracts, industry standards and organizational policies.

Ideally, the compliance process should cover the following: identification of security obligation requirements; translation of those obligations into compliance-related security requirements; implementation of security controls to meet those requirements; monitoring of compliance-related controls; reporting results of monitoring activities; and recommending actions to mitigate compliance risks.

5. Document and communicate expectations in managing information security.

A thorough and well-documented information security policy should be created and communicated to all employees and third parties that have access to information systems. The information security policy must address requirements from a business and IT strategy perspective, the legal, regulatory and contractual requirements, as well as the current and projected threat landscape. Employees and partners need to be aware of the expected security obligations, and comply with software licenses, legal, regulatory and other contractual requirements. They must report breaches, adhere to incident response processes, and cooperate during forensic investigations following an incident or a breach.

6. Raise employee security awareness and education.

95% of cybersecurity incidents is due to human error. Security training is as important as the application of security controls. Employees should be educated on how to run systems and applications correctly and provided with the skills to protect information and fulfill their cybersecurity responsibilities. Security training should cover practical recommendations about social engineering risks, safe and secure use of social media, third-party applications and generative AI. IT and system developers should be instructed to leverage secure coding approaches and frameworks (such as NIST Secure Software Development Framework). There must be clear guidance on how users protect business applications and equipment, how sensitive data should be stored, protected, classified, shared, backed up and deleted.

Effective cybersecurity standards are a result of good governance. However, achieving governance requires the implementation of well-documented security controls, policies and processes that are consistent, repeatable and measurable. These measures should consider security risks, attack surfaces, vulnerabilities and the ever-changing threat landscape and regulatory requirements. By adopting these best practices, organizations can establish strong security standards and enhance their resilience over time.


Is your organisation ready to respond to the NIST Cybersecurity Framework 2.0 update?


To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics