Cybersecurity Programs Take Time

Cybersecurity Programs Take Time

Were it not for a worldwide pandemic (maybe you heard about it?), I would have attended my 25th college reunion at Wash U (Go Bears!) in St. Louis last month. Instead, the event was held online, and few people showed up.

That’s understandable. College reunions are not so much about exchanging vital information as they are about catching up with old friends, seeing how the campus has changed, shaking hands, exchanging hugs, and drinking a beer, or seven. Zoom just doesn’t cut it.

There is one advantage to a virtual reunion, though: no lead time required.

You don’t need to prearrange a plane ticket, a hotel reservation, or a rental car. And, maybe most significant in terms of preplanning, you don’t need weeks and weeks to get in shape and/or lose weight, two objectives that require the passage of time.

Well, guess what? When it comes to setting up a robust cybersecurity program for your organization, you can’t simply snap your fingers and put one into place overnight, either.

Cybersecurity Programs are a Process

When speaking with a prospect about establishing a new cybersecurity program quickly – often because they have a new customer that requires certain commitments – they invariable ask, “How long will it take to meet these requirements?”

My answer is nearly always the same: “18 months.”

At that point, I don’t necessarily even know the specifics of the program or the compliance requirements. But after going through this process dozens of times with a range of clients, I’ve learned that the specifics don’t really matter. Like losing weight, cybersecurity takes time.

“Can it be done faster?” they invariably ask.

Here, too, my response is pretty consistent: “Yes, but what are you willing to sacrifice to speed it up? Is this going to be your top priority, something that takes precedence over things like making sales or delivering on customer commitments?”

Their answer, of course, is “no.” As it should be. No company is going to dedicate 100% of its time over even a single month to get all its policies developed and put in place. It just won’t happen, and so a phased approach over several months is closer to reality.

Okay. So if it’s not overnight or even one month, which factors come into play in determining how long it will take? Let’s take a look…

How much time are you going to dedicate to this? 

A security program comes at a cost – one of those is time. And sure, like an actor who works out five hours a day to take on a role as a boxer, you could push everything else aside to shrink the timeframe. But it’s not likely, nor is it advisable if the things you would push aside generate needed revenue.

So, start by figuring out what’s necessary to implement a new program. How many and what types of policies are you trying to put into place? How often will your internal team meet? What documentation and training are required? Use these and other key factors to create a realistic schedule that estimates how much time you will need.

Then double it. Since if my experience holds true, you are being way too optimistic.

What will the Cybersecurity Program’s impact be on the status quo?

Part of the reason cybersecurity takes time to implement is that it’s a contact sport – everyone inside your organization plays a hands-on roll. You can’t simply outsource it the way you might with the installation of a new HVAC system or the hiring of a new marketing agency.

Yes, professional cybersecurity experts can lead the way – developing a plan, helping you meet on a regular basis, tracking progress, keeping the team on track, etc. But like hiring a personal trainer, you’re the one who needs to get down there and do the pushups.

How well-informed and committed is senior leadership?

Anytime someone invites us in to talk about cybersecurity, it’s because at some level, they understand that things are not as they should be. They may believe that they are “better than average” (although on average, they are not), but even if they are, it’s not enough. “Above average” is not a high enough bar for surgeons, airplane pilots, or those who are trying to keep the bad guys from doing damage.

That’s why, in our experience, it all starts at the top with the CEO: does he or she have a risk-informed view of the organization? That means more than just having a bunch of security controls in place. It means understanding and committing to cybersecurity programs across the board, in a systematic and well-conceived manner.

More than anything, CEO dedication to cybersecurity is what correlates most strongly with the speed with which a new program can be put in place.

Cybersecurity Programs: No Instant Gratification

Maybe you’ve heard the old saying: It takes nine months to make a baby, no matter how many women you put on the job. As it turns out, when it comes to speeding things up, cybersecurity programs are likewise constrained.

With that in mind, it’s important to go into any new cybersecurity endeavor with eyes open and realistic expectations. It’s a process, involving you and your team, not a thing you pick off the shelf and install next Tuesday.

As for me, I’ve got five years lead time to get in tip top shape for reunion #30. There is no time to waste!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.

Mark Dunaisky, CISSP

Helping to secure companies one third party at a time.

3 年

“How long will it take to get our cybersecurity program going?” Today. Immediately. As soon as you decide to. These are acceptable answers to the question at hand. “How long will it take to develop a cybersecurity program?” It depends. Two very different questions with strikingly different answers.

Blane Erwin

Everyone has a story, can I tell yours?

3 年

No instant gratification... but persistent effort is well-rewarded. For both working out, and cybersecurity!

Chinmayee Paunikar, CISSP

Cybersecurity Operations Manager at Fractional CISO | CISSP

3 年

Every ?? One ?? Needs ?? To ?? Hear ?? This!

Aaron Bregg

Information Security Analyst - Podcast Host - CloudCon CoFounder

3 年

As always thanks for the tag! Having just finished up the 5 year plan that was put in place by my former CISO (Lenny Levy/CIO Patrick O'Hare), I can say that you are correct on both counts, it depends and it takes time. Those two items are sooo critical to understand. I always use my hiking adage that you to take one step forward towards that first plateau, once you get there go to the next, and before you know it you will be at the top of the mountain. The first step on that journey is first understanding what your goals/priorities are, how to get there comes next. Yes you are going to fail/fall sometimes. But the absolutely most important thing to understand is that you at least have to take that first step or you will NEVER get there. My final piece of advice is that your mountain journey is never over. Once you climb that first 14k'er, you will need to do another. That may sound exhausting tut the good news is that you will never be bored!

Cara Wolf

CEO Ammolite Security | Cybersecurity Executive | Board Director | Top 20 Women in Cybersecurity | Queen's Platinum Jubilee Medal Recipient

3 年

Another point to mention is that leadership needs to allocate sufficient resources to develop and implement their cybersecurity programs. Underfunded programs lead to failure.

要查看或添加评论,请登录

Rob Black的更多文章

  • Cybersecurity Needs Your Attention

    Cybersecurity Needs Your Attention

    December. That magical time of year when so many conversations turn to… … the pick and roll, great team defense, smart…

    3 条评论
  • Cybersecurity’s Unanticipated Benefits

    Cybersecurity’s Unanticipated Benefits

    Longtime readers of this newsletter may assume that the only professionals I ever call to my house for assistance are…

    11 条评论
  • Cybersecurity Controls – All Are Not Created Equal

    Cybersecurity Controls – All Are Not Created Equal

    The last time I bought a new pair of ski boots was the late 90s. Just to give you some sense of how long ago that was…

    4 条评论
  • Why you need a Quantitative Cybersecurity Risk Assessment

    Why you need a Quantitative Cybersecurity Risk Assessment

    You are presented with two arguments about who is going to win the Super Bowl this weekend. Which sounds more…

    3 条评论
  • Top 5 Rob & Rob Videos of 2024!

    Top 5 Rob & Rob Videos of 2024!

    I am settling into my role as the principal member of the one-man short-video sketch comedy troupe Rob & Rob. This…

    8 条评论
  • Prepare for the Cybersecurity Championships!

    Prepare for the Cybersecurity Championships!

    The NBA season kicked off last night. This year, our beloved Boston Celtics are favored to win it all, again! I…

  • Let’s Get Physical

    Let’s Get Physical

    “Dad, the house alarm went off!” This is not great news at any time of day, but it’s especially unnerving when your…

    3 条评论
  • What’s Your “After Action” Plan?

    What’s Your “After Action” Plan?

    It shouldn’t have been a problem. After all, what could possibly go wrong helping a vacationing neighbor whose plants…

    7 条评论
  • Do You Have a Golden Cybersecurity Questionnaire?

    Do You Have a Golden Cybersecurity Questionnaire?

    It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer:…

    12 条评论
  • Don’t Ignore the Warning Signs

    Don’t Ignore the Warning Signs

    Our house is only 18 months old. At this point, few things need repairing, painting, or upgrading.

    6 条评论

社区洞察

其他会员也浏览了