Cybersecurity Programs Take Time
Were it not for a worldwide pandemic (maybe you heard about it?), I would have attended my 25th college reunion at Wash U (Go Bears!) in St. Louis last month. Instead, the event was held online, and few people showed up.
That’s understandable. College reunions are not so much about exchanging vital information as they are about catching up with old friends, seeing how the campus has changed, shaking hands, exchanging hugs, and drinking a beer, or seven. Zoom just doesn’t cut it.
There is one advantage to a virtual reunion, though: no lead time required.
You don’t need to prearrange a plane ticket, a hotel reservation, or a rental car. And, maybe most significant in terms of preplanning, you don’t need weeks and weeks to get in shape and/or lose weight, two objectives that require the passage of time.
Well, guess what? When it comes to setting up a robust cybersecurity program for your organization, you can’t simply snap your fingers and put one into place overnight, either.
Cybersecurity Programs are a Process
When speaking with a prospect about establishing a new cybersecurity program quickly – often because they have a new customer that requires certain commitments – they invariable ask, “How long will it take to meet these requirements?”
My answer is nearly always the same: “18 months.”
At that point, I don’t necessarily even know the specifics of the program or the compliance requirements. But after going through this process dozens of times with a range of clients, I’ve learned that the specifics don’t really matter. Like losing weight, cybersecurity takes time.
“Can it be done faster?” they invariably ask.
Here, too, my response is pretty consistent: “Yes, but what are you willing to sacrifice to speed it up? Is this going to be your top priority, something that takes precedence over things like making sales or delivering on customer commitments?”
Their answer, of course, is “no.” As it should be. No company is going to dedicate 100% of its time over even a single month to get all its policies developed and put in place. It just won’t happen, and so a phased approach over several months is closer to reality.
Okay. So if it’s not overnight or even one month, which factors come into play in determining how long it will take? Let’s take a look…
How much time are you going to dedicate to this?
A security program comes at a cost – one of those is time. And sure, like an actor who works out five hours a day to take on a role as a boxer, you could push everything else aside to shrink the timeframe. But it’s not likely, nor is it advisable if the things you would push aside generate needed revenue.
So, start by figuring out what’s necessary to implement a new program. How many and what types of policies are you trying to put into place? How often will your internal team meet? What documentation and training are required? Use these and other key factors to create a realistic schedule that estimates how much time you will need.
Then double it. Since if my experience holds true, you are being way too optimistic.
What will the Cybersecurity Program’s impact be on the status quo?
Part of the reason cybersecurity takes time to implement is that it’s a contact sport – everyone inside your organization plays a hands-on roll. You can’t simply outsource it the way you might with the installation of a new HVAC system or the hiring of a new marketing agency.
Yes, professional cybersecurity experts can lead the way – developing a plan, helping you meet on a regular basis, tracking progress, keeping the team on track, etc. But like hiring a personal trainer, you’re the one who needs to get down there and do the pushups.
How well-informed and committed is senior leadership?
Anytime someone invites us in to talk about cybersecurity, it’s because at some level, they understand that things are not as they should be. They may believe that they are “better than average” (although on average, they are not), but even if they are, it’s not enough. “Above average” is not a high enough bar for surgeons, airplane pilots, or those who are trying to keep the bad guys from doing damage.
That’s why, in our experience, it all starts at the top with the CEO: does he or she have a risk-informed view of the organization? That means more than just having a bunch of security controls in place. It means understanding and committing to cybersecurity programs across the board, in a systematic and well-conceived manner.
More than anything, CEO dedication to cybersecurity is what correlates most strongly with the speed with which a new program can be put in place.
Cybersecurity Programs: No Instant Gratification
Maybe you’ve heard the old saying: It takes nine months to make a baby, no matter how many women you put on the job. As it turns out, when it comes to speeding things up, cybersecurity programs are likewise constrained.
With that in mind, it’s important to go into any new cybersecurity endeavor with eyes open and realistic expectations. It’s a process, involving you and your team, not a thing you pick off the shelf and install next Tuesday.
As for me, I’ve got five years lead time to get in tip top shape for reunion #30. There is no time to waste!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
This article originally appeared on the Fractional CISO blog.
Helping to secure companies one third party at a time.
3 年“How long will it take to get our cybersecurity program going?” Today. Immediately. As soon as you decide to. These are acceptable answers to the question at hand. “How long will it take to develop a cybersecurity program?” It depends. Two very different questions with strikingly different answers.
Everyone has a story, can I tell yours?
3 年No instant gratification... but persistent effort is well-rewarded. For both working out, and cybersecurity!
Cybersecurity Operations Manager at Fractional CISO | CISSP
3 年Every ?? One ?? Needs ?? To ?? Hear ?? This!
Information Security Analyst - Podcast Host - CloudCon CoFounder
3 年As always thanks for the tag! Having just finished up the 5 year plan that was put in place by my former CISO (Lenny Levy/CIO Patrick O'Hare), I can say that you are correct on both counts, it depends and it takes time. Those two items are sooo critical to understand. I always use my hiking adage that you to take one step forward towards that first plateau, once you get there go to the next, and before you know it you will be at the top of the mountain. The first step on that journey is first understanding what your goals/priorities are, how to get there comes next. Yes you are going to fail/fall sometimes. But the absolutely most important thing to understand is that you at least have to take that first step or you will NEVER get there. My final piece of advice is that your mountain journey is never over. Once you climb that first 14k'er, you will need to do another. That may sound exhausting tut the good news is that you will never be bored!
CEO Ammolite Security | Cybersecurity Executive | Board Director | Top 20 Women in Cybersecurity | Queen's Platinum Jubilee Medal Recipient
3 年Another point to mention is that leadership needs to allocate sufficient resources to develop and implement their cybersecurity programs. Underfunded programs lead to failure.