How to Gain Cybersecurity Traction with Continuous Improvement
By: Angela Redmond, Director of Attest Services
Cybersecurity is an ever-changing field. Hackers and cybercriminals are getting smarter and constantly changing their approach, which is why it’s important to stay aware of the latest trends and breaches. Cybersecurity isn’t just an exercise you can check the box on and forget about—it requires continuous improvement and consistent alignment throughout an organization. So how can you be sure you’re gaining traction in your cybersecurity efforts?
Oftentimes the idea of cybersecurity can be overwhelming, particularly for smaller businesses that aren’t sure where to start. Small steps like staying up-to-date with industry blogs and webinars, attending trainings, and communicating common themes you’ve noticed across your organization are excellent ways to begin gaining traction in your cybersecurity efforts and achieving continuous improvement. Once security is ingrained across the organization, then you can begin to think about cybersecurity certifications or aiming for a SOC 2 report. It can be helpful to have someone, or a group of people, that are designated as security leaders within the organization to keep everyone on track.
Let’s learn more about how to gain traction with your organization’s alignment, processes, and people:
Gaining Traction with Alignment
Organizational alignment on a cybersecurity vision with short and long-term goals is crucial. Once you’ve established your cybersecurity vision, it’s important to measure and track how your organization is gaining traction towards its goals.
If you’ve already performed a risk assessment, establish a regular cadence of meetings to make sure everyone from leadership down is on the same page with cybersecurity initiatives. Use the risk assessment as the leading point for the agenda for these meetings—after you’ve identified security-related risks, you can create action items to remediate those risks. A key part of these regular meetings is to follow up on action items and provide status updates to key stakeholders. These meetings can also provide an opportunity to discuss any issues or potential issues. Depending on your organization, these meetings can be held quarterly or even monthly.
Regular security-focused meetings can also be used to keep everyone up-to-date on the latest cybersecurity trends or breaches. One strategy is to use security meetings as a book club—everyone reads a book, article, blog, or listens to a podcast prior to the meeting about a relevant cyber trend. Part of the meeting can be dedicated to discussing what they learned and how it may affect their organization.
If your organization is working towards any certifications or reports, these meetings are a good time to have regular internal updates on the progress.
Gaining Traction with Cybersecurity Processes
The most important thing organizations can do to gain traction on their cybersecurity processes is to prioritize security from the very beginning. Whether it’s a new process or a new product, it’s much easier to implement security measures early on instead of going back later.
Having an automation-first mindset can also help you to continuously improve your processes. Ideas can naturally flow when you determine what manual activities can be automated so that you can focus more fully on the real prize: security.
It’s also important to stay on top of ongoing trends with industry certifications. There are always new certifications or refreshes to existing ones. Instead of just working towards a SOC 2 and stopping there, continue looking for ways to improve your security by researching and identifying the framework that works best for your organization.
Gaining Traction with People
Most organizations have an annual security awareness training, which is important, but it’s just as important to think about your people from an ongoing perspective. It’s easy for the security mindset to go stale if employees only need to think about security once a year. Regular, company-wide communication about security efforts or book clubs across different departments are helpful for keeping cybersecurity top of mind.
When you hone in on the importance of cybersecurity and employees buy into it, they’re more likely to naturally think about baking cybersecurity into their processes instead of waiting to be told to do so. Too often, company culture makes employees worried they’ll “get in trouble” for failing a phishing test or security training. When organizations prioritize security and the role everyone plays in the organization’s cybersecurity objectives, it can help employees get on board. Building a cybersecurity culture helps with ongoing, continuous improvement when it comes to your organization’s employees.
Measuring Your Traction
Cybersecurity efforts need to be continuously measured. It’s not enough to simply set your goals—progress needs to be tracked in order to continue guiding your organization in the right direction. A cybersecurity scorecard is an extremely valuable tool for measuring your organization’s traction towards the cybersecurity vision. A scorecard is an evaluation tool that provides a quantified measurable against a predetermined key performance indicator (KPI). You can learn more about how to set cybersecurity KPIs and implement a cybersecurity scorecard with BARR Advisory’s How To Use Cybersecurity KPIs whitepaper.
When the mindset of continuous improvement is part of the cybersecurity vision and culture, it gives your organization the opportunity to grow, become more agile, and achieve cyber resilience.
Interested in learning more about gaining traction in your cybersecurity efforts? Contact us today.
About the Author
Angela Redmond, Director of Cyber Risk Advisory
Angela Redmond is Director of BARR Advisory’s Cyber Risk Advisory practice. She is known for her exemplary client service as well as her technical expertise in assessing security and compliance against regulatory standards including SOC 1, SOC 2, and SOC for Cybersecurity. Angela currently serves clients in a wide range of industries — from global technology services and media production to financial services.
Prior to joining BARR, Angela was a Senior Auditor for the Federal Reserve Bank in Kansas City and later a Financial Systems Analyst at the Board of Governors of the Federal Reserve System in Washington, D.C. She holds a Bachelor of Science in Accounting from Kansas State University.