One of the things that make a successful system of any kind is keeping the system in top working order and properly maintained, don’t wait do it now. This may be easier said than done. Sometimes the basic or even advanced maintenance of a system can be challenging. It can present extra costs, it can take time from new projects but we all know that it must be done if you are going to be able to rely on that system. And cycbersecurity is no exception.
A corollary to this rule is the issue of timing. Sometimes you need to wait for the right time to do something. But when it comes to maintenance usually the rule of thumb is to get it done as soon as possible not to wait but to do it now. And even more important if the system has problems or is broken or incomplete then getting it done quickly is imperative.
I am not saying that your particular cybersecurity posture that you have in place today is broken, or even incomplete. But let me tell you what my years of experience in this industry have been whether a large company or small medium business. If it is a private organization or a public entity like a university or a school system, or a government entity, I have seen the same scenario play out. A majority of the time they have an incomplete cybersecurity posture or a broken posture that is known and is not being addressed in the near future.
Why is this? That has been discussed in other posts like here. But for now, let’s just assume that this is a fact. Why do I say it is broken? If there are reasonable and cost-effective measures that can be taken to bring a cybersecurity posture into a secure state and able to pass a normal security audit then I consider it broken. And you should too, because when that system is breached there is going to be a lot of armchair quarterbacking afterward, and there are going to be questions about how you got into this situation. These questions may even come up in a debate in the public sphere, and it will be uncomfortable.
Discuss Now Or Discuss Later
Simply put you will be reviewing your cybersecurity posture eventually. It’s up to you as a leader to determine the best time but it will happen. It can happen efficiently and cost effectively before there is a major breach or it can happen after you get hacked. I would prefer to do it before. Hopefully, most other people would. I talk extensively about the cost and benefit of preparing for a major cybersecurity event. And what happens before and what happens after one occurs, in my upcoming book that will be out next quarter.
It shows the dramatic difference in cost and effectiveness when you choose to do it now as opposed to waiting until something goes wrong. The quicker you fix a broken or incomplete issue the less likely you are going to have problems and the more likely you are going to weather a problem when it does occur. But when you wait, the problems usually multiply.