1 (306) 502-1116

The four stages of cybersecurity program development — part four

Tillman Hodgson

Welcome to part four of our four-part series on security program development. Our purpose in developing the series is to give organizations a helpful overview of creating a cybersecurity posture. ‘Cybersecurity posture’ is basically just a fancy way of referring to your overall cybersecurity setup/strength. If you’ve made it to this part in the series, […]

Welcome to part four of our four-part series on security program development. Our purpose in developing the series is to give organizations a helpful overview of creating a cybersecurity posture. ‘Cybersecurity posture’ is basically just a fancy way of referring to your overall cybersecurity setup/strength.

If you’ve made it to this part in the series, our hope is that you should have a good understanding of how to develop a healthy cybersecurity setup for your organization. However, if you haven’t reviewed parts one through three yet, we recommend starting there (part one, part two, part three). In general, there are four key phases to security program development for most organizations—this post reviews phase four, or the Improvement stage.

Phase Four of Security Program Development

In business, the bottom line matters. We get that. In this phase, your cybersecurity program goes from merely being ‘deployed’ to something from which your business can extract real value. Not only that, but as the name suggests, this is the phase where you get to measure, review, tweak and improve the program.

So how exactly can your cybersecurity program impact your bottom line?

  • It can reduce your premiums for cybersecurity insurance (which are going up, up and up)
  • It can reduce your downtime and protect your critical assets and intellectual property
  • It can foster consumer trust leading to further opportunities
  • It can ensure your organization is in legal compliance and meeting its obligations

In a way, it’s a little like insurance. You hope it will exist relatively in the background, far from your thoughts. However, if an incident occurs, you’ll be pleased to have the protection your cybersecurity program offers.

Keeping Your Security Program in Fighting Shape

The bad guys rarely take a day off, so neither should your security program. In terms of keeping your program in fighting shape, there are a few things that we recommend:

  • Revisit your objectives at least once a year to ensure that your cybersecurity program remains aligned with your needs and goals.
  • Set measurable objectives for the security program to review its success and connect it to your organization’s business objectives.
  • Over the year, measure the effectiveness of your security controls. Depending on the control and the type and size of your business, monthly or quarterly measurement may even make sense.
  • Once a year, do an internal audit of your controls.
  • Ensure that the results of the measurements and internal audit are reviewed by management. Where gaps occur, manage and adjust the security program to address them. This keeps the security program aligned to your business requirements and also keeps it ‘evergreen’ so that your once-new-and-shiny controls don’t silently stop serving their intended purpose.

Just like a boxer, you want to keep your program primed and in ‘fighting shape.’ You never know when it might be called to the ring for a big bout!

This ongoing work should help keep your program healthy and fit for a long time. But, of course, should you need any help figuring out what might work best for your specific needs, we can help. At SeekingFire Consulting Inc., we work with small to medium-sized organizations across Western Canada on their cybersecurity needs. We offer free consultations to all prospective clients. If you’d like to learn more, please reach out to start the conversation.

Disclaimer

While we have made every effort to present accurate, unbiased and helpful information in this article, please note that it reflects the author’s opinion and is written for the purposes of general knowledge, information and discussion. This article is not intended as legal advice, nor should it be considered as advice specific to your individual data security situation. If you would like to discuss your cybersecurity needs in specific detail, please get in touch with us.

Ready to learn more?

Third Party Security: Who’s Minding Their Store?

Third Party Security: Who’s Minding Their Store?

Giant Tiger made the news this month with a security breach related to a third party. The discount retailer used another company to manage customer engagement and communications. Customer data, including contact information and home addresses were compromised, leaving Giant Tiger with the task of contacting customers to warn them of phishing emails and phone calls likely to ensue as a result.

read more
Stopping the Leaks: How to Play Safe on Today’s Internet

Stopping the Leaks: How to Play Safe on Today’s Internet

Sara finds an email in her inbox, notifying her that she has been the victim of a data leak through one of her social media accounts. Brad gets a similar email, letting him know that his private information is no longer secure after his favourite online store experienced a security breach. These types of notifications are almost commonplace as cybercriminals become increasingly sophisticated in their attacks on the networks that hold our data. In fact, there have been over 26 billion records exposed in what Canadian cybersecurity researchers are terming a “supermassive leak”. 

read more