<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Cybersecurity

Which Cybersecurity Tasks Should I Prioritize First? Tips from the Experts

Angela Gelnaw | July 30, 2018

Cybersecurity is a multifaceted topic with many constantly evolving variables. For CISOs and other security leaders, just knowing where to begin can be a challenge.Let’s say you’ve just taken over an organization’s cybersecurity program, or have been tasked with building one from scratch. You have a limited budget and limited personnel, so you can’t accomplish everything at once. Which tasks deserve your focus in the critical first few months?

We’ve rounded up some cybersecurity tips from industry experts to help guide your initial strategy.

1. Start with the Data

“Security” is a relative term. What exactly are you keeping secure? The first priority for any security leader should be developing an understanding of the data they’re supposed to be protecting.

[Get Free Ebook: The Secret to Creating a Cyber Risk-Aware Organization]

A security leader must understand what data is most valuable to their organization. This could include the usual suspects like personally identifiable information (PII) and credit card data, but might also extend to items like trade secrets, manufacturing data, or intellectual property.

“If you were a cyber criminal, which data would you want to steal?” asks Jake Olcott, VP of Strategic Partnerships at BitSight. “That’s where you’ll probably find your most sensitive data.”

What does “sensitivity” mean? According to Olcott, “you could define sensitivity as the data that would have the worst impact if it was stolen.”

Tim Marlin, Head of Cyber Underwriting for The Hartford, agrees that this kind of top-level data analysis is a top priority. He suggests taking an inventory of the business’s core assets and sensitive data.

“Identify where this business information is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and customers (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, company intellectual property and any other information that could damage the business if it got into the wrong hands.”

2. Prioritize Initiatives Based on Data Sensitivity

Once you have an understanding of what data your company needs to protect, it’s important to rank this data from most sensitive to least sensitive. Because you have limited resources, you won’t be able to give equal attention to protecting every last bit of information. Therefore, it’s necessary to decide where you’ll be focusing your efforts first.

This strategy of risk prioritization was recently adopted by the U.S. government. The Department of Homeland Security’s latest cybersecurity strategy is focused on risk prioritization, with one major goal being to “assess the evolving national cybersecurity risk posture to inform and prioritize risk management activities.”

3. Engage with Senior Executives and the Board

While you’re developing and rolling out cybersecurity initiatives, you also need to build a rapport with senior executives and the Board of Directors. Boards are taking an increasingly active role in cybersecurity, with 45% of Board members saying they actively participate in setting the security budget at their company. Therefore, the success of your cybersecurity program will depend in part on how much buy-in you receive from leadership.

“You need to align your program with organizational priorities” says Jake Olcott. “Familiarizing yourself with the goals of senior leadership can go a long way toward building a cybersecurity program that’s effective in the long-term.”

So, how can you go about building this rapport?

Kevin Roden, former CIO of Iron Mountain, recommends taking it to the “land of me.” 

"You need to take it to the land of me. If I'm the CFO and this happens, what's in it for me? What does this mean to me and to the business that I'm responsible for? Or if I'm the COO, what does it mean for the business that I'm running?”

Building a good relationship with other executives and the Board might not seem like a high priority, but it’s an absolute necessity for those looking to create a sustainable cybersecurity program.

4. Get to Know Your Environment

Deciding which security policies, controls, and products will best serve the needs of your organization requires a thorough understanding of the IT environment. Complete network audits should be conducted regularly, either by internal teams or third parties. However, when you first come on board, you’ll want an up-to-date assessment fast.

Software is one way to gain this understanding quickly.

“BitSight analyzes a range of externally observable risk factors in your environment to show you which are presenting the most vulnerabilities,” says Jake Olcott. “Ratings in these specific risk vectors can then be used to prioritize your cybersecurity efforts.”

The risk vectors BitSight analyzes include:

  • Botnet infections
  • Malware servers
  • Potentially exploited machines
  • Open ports

5. Engage with the Workforce

Senior leaders aren’t the only stakeholders you’ll need to gain favor with as you roll out your cybersecurity program. You’ll also want to devote some resources toward building a good relationship with the workforce as a whole.

Why? Because employees are one of the weakest links in any company’s cybersecurity efforts. According to Verizon, user-related risk vectors like phishing, privilege abuse, and misdelivery made up three of the top five action varieties of data breaches in 2017.

Eventually, you’ll want to work with other departments to implement effective security awareness training for all employees. In the beginning, however, it’s worthwhile to make your presence known with frequent messaging, like a weekly update email.

“When talking about cybersecurity with non-IT staff, it’s important to use as much evidence as possible in your messaging,” says Jake Olcott. “BitSight is a great way to introduce that evidence.”

Because BitSight Security Ratings are easy to understand and simple to track over time, they are the perfect tool for communicating the state of an organization’s IT security to the workforce as a whole. Over time, you can use security ratings to foster a sense of responsibility and accountability for security in every employee.

What’s next?

As your cybersecurity program matures, prioritization will continue to be a useful skill. There are several guiding methodologies one can use to prioritize resource allocation, including this one from the nonprofit Center for Internet Security:

“In an ever-growing mix of hundreds of potential cybersecurity concerns and even more proposed solutions, CIS applies the Pareto Principle — the concept that for many activities, roughly 80% of the effects come from 20% of the causes — to help prioritize cybersecurity actions. For example: in 2002, Microsoft found that roughly 20% of all bugs were causing 80% of reported errors, allowing them to focus their resources on the most needed fixes.”

Whether you apply the Pareto Principle or some other guiding philosophy, having a defined method in place will help you scale your cybersecurity program with the organization and with the evolving cyber risk landscape.

Discover the Secret to Creating a Cyber Risk-Aware Organization. Download Ebook Now.
New Call-to-action

Suggested Posts

Cybersecurity in Europe is Improving: Thank You GDPR?

After years of debate over whether to impose new cybersecurity regulations on companies,  General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay...

READ MORE »

Forecasting: The Missing Link in Your Annual Security Performance Planning Process

When it comes to security performance management within your organization, how do your security teams measure performance? If they’re using security ratings, they know that this objective, quantitative measurement is an effective place to...

READ MORE »

Cybersecurity and Banking: 3 Trends to Watch in 2019

Banks have always been at the forefront of enterprise cybersecurity. Their enormous stores of cash and consumer data have made them a top target for hackers, and the threat of financial losses, regulatory consequences, and reputational...

READ MORE »

Subscribe to get security news and updates in your inbox.