Having a vision of what you’d like to achieve is important for all strategic business priorities—and cybersecurity is no different. With a constantly evolving threat landscape, it is never too soon to evaluate the strengths and limitations of your organization’s current cybersecurity program and to set a goal for an improved future-state.
Establishing a cybersecurity vision, communicating that vision to everyone in your organization, and knowing what your opportunities for improvement are, is what makes positive change possible. It’s powerful because it helps the people in your organization understand the culture around cybersecurity and their personal responsibility towards the shared vision.
For most organizations, having a robust cybersecurity program that adds resiliency and builds trust is part of the long term vision. Establishing the right program can feel overwhelming, but no organization is too big or too small to establish and benefit from one. Making that vision come to life begins with understanding your current cybersecurity posture and outlining strategic objectives based on the gaps and weaknesses.
If you’re struggling with where to begin, businesses can start by asking themselves:
- Have we selected a reliable framework that we want to base our policies and controls on?
- Have we performed a risk assessment?
- Do we have effective policies and controls in place to manage risk?
- Are there areas of improvement? Can we simplify controls to help us work smarter rather than harder?
- Are there controls we’re doing manually today that could be strengthened through automation?
- Are there framework requirements that we haven’t met because we’re missing controls?
- Do we have the right people in our organization operating and maintaining our cybersecurity program?
- Do we have a culture that takes security seriously?
To create meaningful short and long-term objectives, start by assessing where your organization is today with a risk assessment. Find a well recognized framework for managing cybersecurity (such as the 18 CIS Controls, NIST, ISO 27001, or SOC 2) and review the framework requirements to determine whether or not you have controls in place to address the risk of each requirement. Any gaps in control coverage can be assessed to determine actionable next steps that will improve your cybersecurity program.
If your organization needs help with a risk assessment, consider vCISO advisory services that can provide guidance and expertise on how to improve a cybersecurity program, or get one off the ground.
If you’re getting started on your journey, it’s going to be important to get approved policies implemented and communicated to your organization. You’ll want to train your personnel on cybersecurity trends and their personal responsibilities. Spread the word and create a culture of security-mindedness.
As you outline long-term goals, think about the potential certifications your organization may want to achieve. SOC 2 and ISO are excellent goals for many small to medium-sized businesses. Long-term goals should also be mindful of continuous improvement—consistently asking where your organization can improve controls or scale processes.
Gone are the days that cybersecurity is siloed somewhere within the IT department. Cybersecurity should be a strategic priority for any modern business and needs to be discussed at the highest level of the organization alongside other business priorities such as customer satisfaction or growth.
Simply having a vision and communicating that vision is the first step to aligning your organization with shared cybersecurity goals. When people understand where their organization is headed, they can do their best to work to figure out how to get there without wasting energy going in multiple directions or wondering how their work makes an impact. Here are a few communication strategies to help your organization get and stay aligned:
- Set and communicate your vision.
- Hold everyone accountable with defined, actionable, and measurable tasks.
- Keep cascading messages simple.
- Say important things multiple times.
It may take some time to get everyone on the same page, but the results can be exponential.
Interested in learning more about how to establish a cybersecurity vision? Contact us today.
About the Author
Kyle Helles, Head of Attest
As a Head of BARR Advisory’s Attest Services, Kyle leads all efforts related to Attest client needs. She specializes in performing assessments over the design and operating effectiveness of control environments based on industry trends, leading best practice, and regulatory requirements.
Prior to joining BARR Advisory, Kyle held audit roles in EY’s IT Risk and Assurance practice, Frontier Communications and Conduent Business Services. She is a Certified Public Accountant (CPA).