There is a study done by the Aberdeen Group that shows that about 91% of companies want to train their people on cybersecurity. This is a tremendous increase from a few years ago. It shows the recognition that cybersecurity training is key to a successful security posture. There is a saying in the movie Cinderella Man, where the boxing manager for the main character the boxer, is trying to convince the promoter to give his boxer a major fight to compete in. The manager does some very impressive talking about how much money the promoter will make, and he finishes with a great quote “we both know the name of this game, and it certainly isn’t pugilism.”
This is the same with cybersecurity. The name of this game is awareness, it is training, it is process, and procedure and yes even some technology. The name of this game is building a holistic picture of where you want to go. And then putting in place the process and procedures needed to get there. Then follows the technology.
Technology and Security
There is another quote often used in the cybersecurity industry. It says “if you think that cybersecurity is about technology, then you don’t understand security or technology.” It supports the contention above and is commonly used by experts in the cybersecurity field.
Remember the plan comes first and then the technology will follow. But if you implement technology first you will almost certainly have a problem. I would like to talk about the order of implementation a bit. If this order is followed then you will be much more successful in how strong your security posture is. These are the major categories of cybersecurity that need to be addressed. If these items are taken out of order or done in an ad hoc manner. The company’s security posture will suffer. If they are done in the correct order and systematically you can bring a company to a strong security posture in a relatively short period of time.
Order Of Successful Security Posture
- Security assessment.
- Develop security posture (strategic).
- Develop security policies and process (tactical).
- Implement policies throughout the organization.
- Assign proper security authorities within your organization.
- Train entire organization of general security concepts.
- IT and security specialists select effective security technologies.
- Train IT and security specialists on proper use and functioning of security policies.
- Set up a cybersecurity reporting regime.
- Set up an effective cybersecurity incident response plan.
None of these steps are particularly onerous or outrageously expensive. But they need to be done all of them. Remember the plan comes first, then the implementation. Cybersecurity is too complex and fluid to leave it up to just what is convenient at the moment.