Your Cybersecurity Program Needs Goals
It’s not the years, it’s the mileage.” – Indiana Jones
Regular readers may remember the February 2023 edition of this newsletter in which I shared the news of my hip surgery the previous year. I set a goal for myself then: Before the year ended, I would be back skiing with my kids.
Well, I am happy (thrilled) to share that a couple of months ago that milestone was achieved on the snowy slopes of Stowe, Vermont. I skied 1 ?? days (the kids skied 3 ?). And while I am definitely not going to win any skiing awards, hearing your kids say, “Dad, you are a pretty good skier,” was all I needed.
It was a long road.?
Over the past year, I worked out most days – probably 330 out of a possible 365. Some days it was a short bike ride or ten minutes of stretching; others, it was a couple of hours lifting weights. One day I was even at the gym lifting with a buddy for four hours and was super-sore for days after. (Thanks, Tom!)
And the thing that kept me showing up and working hard day after day? It was having that clear, measurable goal in my head: Skiing with my kids by the end of the year.
Clear and Measurable
Clear goals aren’t just for middle-aged dad-skiers; any organization that hopes to maintain a secure environment needs them too. After all, the security landscape is constantly changing, your organization is continually evolving, and the bad guys never sleep for long. You need a program that takes all of this into account.
But if your goal is something like, “improve our cybersecurity,” well, how are you going to know – and let your boss know – that your goal has been reached??
That’s why you need to set goals with a measurable outcome and timeframe, such as…
Now you’re talking. These kinds of specifics allow you to plan for where your program will be: next month .. next quarter … next year.?
Track and Share Progress
Of course, setting goals is the easy part. Now you need to show up at the “gym” every day and keep a close eye on progress to make sure you are moving on pace and in the right direction. If not, you’ll need to either put more effort into your goals or make adjustments to their scope and timeframe.
You’ll also want to periodically share where you are with your management team, both to keep yourself on track and to ensure that management is in the loop on these important initiatives. Also, if some departments are resistant to your efforts, management’s involvement can be key.
领英推荐
How do We Measure Success?
Some goals are inherently more amorphous than others.?
Implementing Multi-Factor Authentication (MFA) on all critical and noncritical systems or establishing Endpoint Detection and Response (EDR) on all laptops … that’s easy to track. Something like “reduce cyber-risk by 30%,” which is also a worthwhile goal, is less so.
But don’t let a goal’s measurability keep you from setting and doing your best to track it. In the cyber-risk example above, if your organizational risk last year was a 10% chance of a $5 million loss, and assuming you perform quantitative cyber-risk assessments annually, you can establish targets for reducing both of those numbers this year.*?
(*Yes, risk is a continuous measurement and not measured for a single probability / loss level, but let’s keep it simple for purposes of this article.)
Beware of Chasing Diminishing Returns
In some cases, as you get closer to reaching a cyber goal, you may find that the “last mile” is most difficult to accomplish.?
Consider the MFA example earlier. Maybe you have succeeded in implementing MFA in all your critical systems and in 85 out of 100 noncritical systems. For these last 15, if there is no easy integration with another system that could give you MFA, or if these are marginal systems used by just a few people, it may not be worth spending more time (i.e., dollars).?
As you achieve more in a particular area, the urgency there (typically) declines and other goals become more important. At that point, declare victory and move on to other parts of the business.
It’s All About Forward Progress
There is no one outside of your business keeping score. As long as you and your leadership agree on what your priorities and associated timeframes are and are making progress in some way, you are helping to better protect your organization.?
The act of setting goals and continually moving towards them is where success lives.
Because as that famous cybersecurity guru Yogi Berra once said, “If you don’t know where you are going, you’ll end up someplace else.”
Want to get great cybersecurity content delivered to your inbox??Click here ?to sign up for our monthly newsletter, Tales from the Click.
ENT Security @ 1Password | Securing every sign in, for every app, on every device.
3 个月I love point 3…you’d be shocked how many orgs want to rotate all passwords every 90 days…. Even when using a password manager. ????
Empowering SaaS Startups to Achieve Confident, Cost-Effective Compliance with: #SOC 2, #ISO27001, #HIPAA, #vCISO.
4 个月Measurable Goals are essential, finding a balance between setting those goals and then also funding those goals is the challenge. I expect less of a challenge these days but still not completely solved. Thanks for sharing Rob Black.
Fixing your business resiliency before it hits your bottom line.
4 个月Finding the clarity needed to make better security goals is arguably the most difficult part, and frankly where traditional consulting needs a bit of an overhaul. I found way better success by starting at the point where the security program is most visible, the breach in the business, and delivering it in a way where the non-security attendees become infatuated with the program at large. That solves the management buy-in problem very nicely.
STASH Datacentric Secure Collaboration
4 个月Bernadette Dutra
Investor/Advisor/Mentor
4 个月4?? Implement a 3rd party endpoint security application on Windows