Cybersecurity has always been critical; however, in some smaller organisations, efforts were tactical. Given the threat escalation and the new Australian Directors Standards, many of these organisations are now taking a broader strategic approach.
Here is what I have learned in the past six months supporting several clients.
Tactical efforts - these must continue, list them and check for duplicity.
Architecture - ideally, document “as is” and “to be”, target architecture. Prioritise areas of greatest vulnerability for investment now.
Liability - your existing service providers will not accept cyber liability. Rather, make them accountable for implementing the latest technologies and possible Cyber support functions such as a SOC (Security Operations Centre).
Contracts - develop standard Cyber terms in contracts as a provider of services or a recipient. Be prepared to review and update these regularly.
Cyber operations - highly likely that your organisation will need to increase staff or consider external services. Don’t delay a technology investment or strategy development if you don’t have a team yet. Start now to be more informed about resourcing requirements.
Prioritisation - technology implementation will likely be dependent on a few key resources. Prioritise initiatives based on the risk of vulnerabilities, consider resource capacity and develop the discipline of risk assessment in the prioritisation process.
Beware of biases - existing service providers, technology vendors, and employees may have biases toward solutions. Make sure everyone understands what is available in the broader market.
Metrics - develop a standard set of metrics against the NIST framework – identify | protect | detect | respond | recover - and look for trends within this data.
Software / systems vendors - potentially an area of great vulnerability. Develop clear Cyber standards for all, communicate these and seek to have the vendors assessed. Work with these organisations to reduce their vulnerabilities, beginning with their frequency of patching.
A couple of people have found the materials created from some of my recent engagements of benefit; I am happy to share these if somebody is interested. The case studies include an initial analysis of threat actors and vulnerabilities, strategy development workshops, board presentations and program plans.
Feel free to make contact.