Cybersecurity oversight can be unsettling for C-suite executives and board members. The connection between the board room and those managing technical infrastructure is critical, yet C-suite executives or board members typically don’t have the skills or knowledge of the threat landscape or technologies involved in cybersecurity programs to flatten the management structure enough for top-to-bottom direct management.
For the foreseeable future, cybersecurity program oversight will not be something that can be reduced to an annual review process. To be effective, the structure has to be distributed throughout the organization, and risk thresholds must be set that cause unplanned alerts to drive management action on a regularly scheduled review and ad hoc incident-response basis.
The most common approach for creating and maintaining an enterprise cybersecurity program follows a five-step risk-management process. The process is iterative and constantly informed by new information. We are often asked: “When will the cybersecurity program be completed?” Unfortunately, the answer is “never.” Cybersecurity is a process, not an endpoint—the proverbial marathon versus sprint.
Each step in the process requires participation and multiple levels across an organization, outlined as follows.
Step One: Plan
This involves cyber assessment inventory and environment characterization, coupled with risk assessment, risk-management strategy, and governance and organizational structure.
Step Two: Protect
This step involves control design, selection, and implementation, along with training and maintenance.
Step Three: Detect
At this stage, the organization is building and assessing threat and program effectiveness monitoring and reporting, along with incident alerting and response planning.
Step Four: Respond
This is the step for event analysis and escalation, containment, eradication, and recovery.
Step 5: Adjust
What are the lessons learned and how can you adjust the program? Also, how did communications work and how can they be improved.
As part of the process for following the five steps outlined here, the organization must ensure that individuals and teams are assigned responsibilities and held to account for successes and failures. How do you go about assigning levels of authority and responsibility? For guidance, see this associated article: “Building a Cybersecurity Program: Who’s Responsible for What?”