Cybersecurity is a unique IT challenge unlike anything else in the enterprise. Unlike other issues, you’re facing threats that grow each day. Even worse, you can’t negotiate or persuade attackers to stop their attacks. You can only build sustainable defenses and work to improve.
The Hero Myth: Why IT Security Sustainability Matters
As managers, it’s easy to be led astray by the heroes on your staff. Think back to the last IT security incident. You had a few heroes who worked extra hard, who called in favors and eliminated the problem. Here’s the problem with relying upon a few heroic individuals to protect you: it’s difficult to sustain that level of effort in the long term.
The 10 Point IT Sustainability Security Test
As you go through these questions, answer “YES” if your organization has a developed, sustainable capability. Otherwise, answer “NO.”
1. Cybersecurity mandate
Does the organization have a written mandate to develop and enforce cybersecurity throughout the organization? If you lack this component, you’re going to struggle with standing out within the organization.
2. Cybersecurity leadership
Leaders set the tone and expectations for their department. One simple way to evaluate a cybersecurity executive is to check how other executives view the individual. If he or she is respected and well connected, you’ve passed the credibility bar. At the elite level, you’ll also have a documented succession plan for senior leaders in cybersecurity.
3. Cybersecurity monitoring
Do you have monthly, weekly, and daily cybersecurity indicators that are meaningful? Without this in place, you won’t understand the threats facing the organization. At the same time, you don’t want to drown in irrelevant alerts that make you sound like Chicken Little.
4. Cybersecurity preventive tools
Crisis response is just one part of cybersecurity success. To achieve IT security sustainability, you need preventive tools. For instance, do you have a password management solution in place? That’s one of the best ways to prevent cybersecurity problems from occurring in the first place.
5. Cybersecurity preventive processes
Continuing the prevention theme, software tools are even more effective when you pair them with solid processes. Regarding sustainability, ask yourself whether your team has repeatable documented processes for:
- Evaluating new software releases
- Controls for super users (Hint: Use the principle of least privilege. How? Find out with “Cut Your Access Governance Complexity with The Principle of Least Privilege”)
- Setting up new systems with multi-factor authentication
6. Cybersecurity exploration and experimentation
Here’s the harsh truth: if you don’t make room for innovation, you’ll be left behind. Think back over the last 12 months; what capacity and time have you set aside for exploration? This could mean experimenting with a new cybersecurity every quarter. Alternatively, it could be fine-tuning your agile project management processes. If you answer no to this capability, it’s a secondary priority after you have the fundamentals in place.
7. Cybersecurity training
There are two nuances to this criterion: training for the cyber specialists and training for the whole organization. You need to provide both for your security program to be sustainable. Failing to support cybersecurity professionals with resources to earn certifications, attend conferences, and gain top-notch tools means you’ll lose those staff members.
8. Cybersecurity staffing
Do you have adequate staffing levels for the size and complexity of your organization? A common rule of thumb is to spend 5% of your total IT budget on cybersecurity if you’re a large company. That’s a helpful but crude measure. Instead, ask yourself this question: “How many ‘Single Points of Knowledge’ do we have?” If one or two people go on vacation, will your IT security operation grind to a halt? If so, you don’t have a sustainable security department.
9. Cybersecurity goals
Does the organization have measurable, written goals for IT security? This may include goals to cover staffing, prevention processes, and other areas. If your goal is “avoid security failures,” then you’re in trouble, as that goal is too vague to be useful.
10. Cybersecurity third-party support
Earlier, we referred to tools. You also need to look at third-party support in the form of consulting and training. For example, the best performing cybersecurity departments ask outside experts to review their operations every few years. Why? It helps them to identify blind spots and vulnerabilities.
Understanding Your Scores
Add up the number of “YES” scores you received, and then read your corresponding score.
- Fragile (Score: 3 or less): At this level, your IT security is fragile. If one or two people leave or if the pace of attacks increases, everything will crumble. You need to make serious improvements.
- Mixed sustainability (Score: 4 to 6): With this score, you’re in the middle of the pack. You’ve nailed some parts of IT security sustainability, such as resources. However, you may be lacking when it comes to tools.
- Optimizing (Score: 7 to 10): Congratulations are in order if you’ve reached this level, as you’re in the elite. Your greatest risk lies in becoming complacent.
Your Next Step to Improve Cybersecurity Sustainability This Month
If you have an ad hoc, unsustainable IT security department, you need to make some changes quickly. Pick one of the following areas to focus on this month.
Tools and software
Are you leveraging identity and access management solutions? That’s one of the best ways to systematize your controls and reduce your workload. If you need help with obtaining funding, you’ll need to create a business case. Get started with our article: Get Your SSO Software Project Funded with a Business Case.
How can you improve the quality of your staff this month? If resources are tight, start with funding more training. Equipping people with new skills is one of the best ways to spark higher productivity.
With this approach, you focus on developing checklists, procedures, and similar process resources. To get started, create one cybersecurity process and then measure your team on how they use it over the course of the month. Process is an underrated way to create a higher level of consistency in cybersecurity.