We probably all have a long list of things we’d love to get around to when we have the time; our Cyber bucket lists. The problem is, you’ll never have the time unless you make it. So, just think of this as a visit from the ghost of CyberFuture and take a look at my Top 5 recommendations to cross off your bucket list in 2020.
Set Your Risk Appetite
You probably don’t have too much of an appetite so soon after the holidays, but in risk management terms that can be a big problem. Formally establishing your organisation’s appetite for negative impacts, will help you make sure your people, process and technology are fit to meet your organisation’s needs. Rather than simply trying to stop anything bad from happening, your policies, metrics, budgets, transformations, etc. can be focussed what’s important from your business’ perspective.
The process of setting a risk appetite is also a great way to get your executives engaged and invested in the security process. They may not be willing to set targets and thresholds themselves, but you can always propose a set for their approval, just be sure that you’re prepared when they ask what it will cost to turn red to amber to green and how long it will take.
Once the appetite is set, make sure everyone who needs to know what it is, does. Then make sure any significant changes you make going forward are aligned with it and you’ll always have a justification for your plans and budgets.
Run Mock Incidents
It takes a particular skillset to execute an effective incident response and it’s difficult to develop those skills without experience. Most security professionals agree that, if done right, mock incidents are a valuable tool to help you get there. However, most organisations don’t run a regular programme of mock incidents or often no mock incidents at all.
Mock incidents can range from a tabletop exercise for a select group of employees, to a full-blown company-wide disaster response facilitated by a third-party specialist. It’s usually best to start with the tabletop variety and progress as your team develops their process. You should aim to do something at least once every half-year.
I’m sure most of you have a backup strategy or standard for your organisation, but in the face of a very tangible ransomware threat, does your restore verification process pass muster? Would you have enough confidence in it to advise your executives to not pay a ransom to recover business critical data. Bear in mind that it may take a day or two for large restores, and your organisation may not be functioning during that time. If, after the delay, you then discover a problem with the restored data, it may have dire consequences for your business.
A solid verification programme needn’t be expensive, you simply need to frequently restore and verify a few random files from backups of your critical data. You can set regular intervals for this, but you must also verify immediately after any significant application and infrastructure changes. A good way to achieve this is to have your change management process make the call on requiring a verification as appropriate.
Adopt a Framework
There’s a ton of excellent information and cyber security frameworks available to us. They all have strengths and weaknesses, and some a probably better than others, but if you’re struggling for structure, just pick one and loosely align your programme to it. You don’t need to chase accreditation, simply give yourself some help to implement a more formal programme and a common frame of reference for the people involved; be they internal or external. Once you have a foundation, you can always evolve it further in the future, as your overall programme maturity improves.
Focus on Training
Are you stranded in the training desert? If so this’ll sound familiar. Budgets aren’t approved until late in the first quarter, the second quarter is super busy as initiatives are launched. Third quarter is critical when everything goes live (and everyone is on vacation), fourth quarter is when all the unspent money is ‘recovered’.
If this is a familiar story, give yourself a deadline for when all of your, or your team’s, training must be booked. put a date in your calendar and a reminder for every month between now and then. Make sure everyone has cover/backup for when they will be away.
Formal training is motivating, it generates appreciation and satisfaction for the job and the organisation and it improves the quality of work. It’s a no brainer. You just need to take training as seriously as any other part of your programme.