Today, we’re continuing with my steps to master cybersecurity in part two of this series. Previously I mentioned steps such as recognizing the threat of cyber attacks, understanding your risks, being cyber resilient, and also left you at a cliff hanger for what I deem the most important thing you need to know to master cybersecurity.
Let’s get right to it then, if there’s anything I want you to take away from my blog, it’s this: cybersecurity is not a technology problem, it’s a management problem. Technology is how we got into this situation, there’s no doubt about it, but the bumps we run into need to be treated as management problems. It ties into another step to cybersecurity, which is to use all of your resources. Everyone in your organization should be practicing good cybersecurity habits, even employees doing basic tasks like working at a front desk. Your IT department should not be doing all of the work, remember that cybersecurity is a team effort.
The next step is to measure where your organization is in terms of cybersecurity. How good are your cybersecurity policies? What risks are you already mitigating? You need to know these things to improve. I often use something called the NIST Cybersecurity Framework to assess my client’s organization, as it breaks the process into small, manageable chunks. The NIST framework doesn’t tell you exactly how to measure, though, so I’m going to explain that now. How security works are the relationship between cost and risk, best illustrated by a simple graph with two axes. Cost is X, the risk is Y, and as you move right on the graph to spend more money, your risk goes down plateaus, and then risk goes up after a certain amount of spending. I’ll explain why increased spending causes increased risk next time.