Where am I going with this? I’m pointing out that there are bad people all around us lurking in the shadows meaning to do us harm in a non-physical or non-violent way. They are called hackers and really have nothing against you personally. They are just out to bring chaos to your world, grab sensitive data, possibly sell it or offer it back to you in exchange for money or they just may be doing it all to show that they can. After
If you haven’t been hacked, breached or compromised in some way by a hacker - rest assured you eventually will be and really no amount of avoidance or mitigation planning can completely save you from the affects of hacker actions. Start taking some or all of these steps now to make it happen and keep your organization's corporate head above water, figuratively speaking...
Start somewhere. Please, please, please... start somewhere. It doesn't have to be with a full-fledged cybersecurity staff. But we have to start somewhere. If you are smaller, or a startup or not engaging in large, high visibility, data sensitive projects often, then look for one or more internal resources who are interested in training in cybersecurity and have them take on the part-time or full-time role of cybersecurity lead and have them participate on projects that may need that time of data management, risk evaluation and oversight. Or, if you're smart, you'll have them involved as a part-time resource on every project on an ongoing basis.
Charge everyone to be accountable. Now, I don't mean that everyone in the organization needs to become a cybersecurity expert. Far from it. But they need to have an awareness, an accountability to the company masses and the organization's customer base. Think “bystander apathy” and “bystander awareness.” Don't let the company masses become just bystanders. Get them actively involved in the effort to not leave the organization open to hacking. Think participation rather than hinderance or obstruction. Educate the masses in the organization on the criticality of what it means to have a data risk and breach that potentially cripples the organization and ask everyone to be hyper alert to black hat activities and their own behavior that could cause security holes from an IT perspective.
Make cybersecurity part of every project and customer initiative going forward. Whether you grow a cybersecurity presence and knowledge base from within starting with one more individuals who have an interest or you go full blown with a C-level presence like a Chief Security Officer (CSO), a hired staff of a few cybersecurity certified tech leads and a big staff budget, it is imperative that going forward there is a cybersecurity presence on all data sensitive projects and likely all projects period. This presence may only be during risk identification, but it may also be needed on a weekly basis having a sit-in presence on all weekly project status meetings to offer advice, decision input and to answer staff and customer questions. Trust me, the topic will only be growing in size. And with a project by project security risk presence, there is far less of a chance that something important might fall through the cracks. You never know when a technical decision made by someone less informed could open the organization up to a breach that could be very damaging.
Educate senior management on the probability, liability and exposure. As important as it is to educate the entire enterprise on the cybersecurity risks and enforce awareness and accountability, it is even more important that senior management be aware and buy in to the need for a cybersecurity knowledge base and project involvement within the organization. Funding comes from this group, projects are sometimes prioritized and staffed from this group and as the project teams need to evolve to handle the cybersecurity threats, so does the leadership of the organization. Just as with any program, improvement, or campaign... without the leadership buy in it is going usually fail in the enterprise adoption effort as well. If leadership doesn't back it, it won't usually last.
Compile stats. Try hard to quantify things. From an IT standpoint, you can often tell how many potential breaches have been thwarted by whatever software you have implemented. Include that information in project status reports to teams, clients and senior management. The more benefits you can actually show in numbers – even dollars – the better. This will build fast confidence and buy in to the measure being proposed and taken. Management loves to jump on board with new initiatives that are actually working. And the goal is to show progress fast and early so that enterprise adoption and accountability and participation is a no-brainer and the learning curve is small and behind everyone quickly. Management loves numbers. Customers love numbers – especially positive ones. Figure out how to show numbers and you'll get them on board with the security movement and implementations quickly. And that is important to project protection and survival.
Summary / call for input
The bottom line is this – cybersecurity is an established risk that isn't likely to ever go away. Too many hackers having fun or trying to capture data and identity at the expense of others – sometimes even working to profit from it and not just cause damage. If you have high visibility projects or data sensitive projects or both, you will likely be a future target. We need to be vigilant and prepared.
Readers – what is your take on this list? What experiences have you had with the implementation of a cybersecurity infrastructure? It's rather new to most organizations so any advice we can share will be helpful.