Cracking Cybersecurity Consulting: How Do We Put the Consulting Report to Use?

Eleventh article in a 12-part series on “Cracking Cybersecurity Consulting”

Why did you start a cybersecurity project in the first place? What motivated you to set aside time and resources to complete a project with the goal of finding cyber vulnerabilities, strengthening controls, or auditing your organization’s current infrastructure?

The answer (hopefully): to mitigate or address cyber risk.

Organizations undertake cybersecurity consulting projects to secure systems, networks, and the overall technical landscape to reduce potential risk. Just ask your cyber insurance broker. The current state of the cyber market proves that as threats and potential claims increase, it’s getting harder and harder to cover the level of cyber risk companies carry.

In short, you employed a third party for a cybersecurity project specifically because you wanted to get their advice on what to do. At this point in the process, you must follow up on that sage advice.

To act on the final deliverable, remember to:

·????????Assign follow-ups to a project manager. Someone must take ownership of the action items provided by the third party, or they’ll never get implemented. Assigning someone internally to follow up with the deliverable suggestions elevates your cybersecurity posture by fixing gaps instead of just identifying them.

·????????Establish check-in points with your team. This is a project manager’s trick. He or she should establish deadlines, assign action items to team members, and then require them to give progress updates along the way with scheduled “check-in” calls. Doing so prioritizes items instead of letting them fall by the wayside.

·????????Schedule future meetings with the consulting team. There are a couple of reasons to do this:

1.??????It gives you a tentative deadline to report progress and ask questions.

2.??????It allows you to ask for more help if needed. Most cyber consulting projects are not just “one and done,” and the vendor you worked with will likely be willing to jump on a call, especially if it means you may use them again in the future.

·????????Brief the board or executive team on the findings and results. By adding in authority to your project, you are now presenting the recommendations to a higher group that can hold your team accountable. When your team can convey the recommended cybersecurity improvements, the executive team or board will also see the overall benefits. With their buy-in, your follow-up has even greater meaning, so you’ll be more likely to deliver results.

The number one reason to get your team to ACT on the final deliverable is simple. You paid for the help, so use it.

Remember, from a legal standpoint, when a third party recommends that you make improvements and adjustments to better your overall cybersecurity, you should act swiftly and reasonably. Otherwise, there’s a plaintiff’s attorney out there who’s just waiting to point out that you were given advice and didn’t act on it. As soon as a cyber incident occurs, class actions can be created to point to your lack of cybersecurity controls. This world of cyber litigation is new, and plaintiff’s attorneys are being very creative in their finger-pointing.

With a project plan in place and an aim to fill the gaps, your team will be working through improvements for the next 6–12 months. It’s a continuous process, so don’t get down if it’s not complete when the third party exits the premises. There’s always work to do, and your team must follow up on the recommendations presented.

In cybersecurity, there will always be new threats, new patches, and new ways to educate users. Continuous improvement is the name of the game, and the final article in the series is devoted to continuously improving your cybersecurity program.

For more information and to discuss?the consulting services that are right for your organization, contact?Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.