Are you looking for it services & solution provider?
These types of plans are cybersecurity road maps that establish pathways an organization can follow to improve its overall risk management approach. Today, technology changes at a rate most businesses can’t keep pace with, and it’s this lag that introduces risk into organizations’ business operations. To manage risk, organizations must implement controls across this ever-increasing, turbulent network landscape. Some organizations also apply best-practice approaches to diverse risk portfolios using traditional concepts such as defense-in-depth and layered security technologies. We believe traditional methods need to be changed since they were initially envisioned for centralized, managed networks. Now networks typically don’t have fully defined perimeters; they’re designed for the mobile worker and geo-dispersed teams with numerous third-party connections to vendors and trusted partners. It’s these new network infrastructures that exist in the cloud, shared data centers, and on mobile devices that force organizations to revisit their strategic plans. In essence, these plans are cybersecurity roadmaps that establish pathways an organization can follow to improve its overall risk management approach. These plans should describe how the security program will protect and share information, counter new and evolving threats, and support the integration of cybersecurity as a best practice for everyday business operations. A strategic plan should note the “current state” of security practices and describe near-term objectives to be addressed in the next 12 months, midterm goals in the next 18-24 months, and long-term objectives over the next 36 months. This plan is usually developed by the organizations and is designed to be a living document. The vision, goals, and objectives of this plan should be reviewed at least annually. To begin, the organization first needs to understand the current security state of the company. This effort will require a continuous review of assets such as hardware, software, network configurations, policies, security controls, prior audit results, etc. The goal is to gather information on what is the current technology and application portfolio, current business plans, and then gain an understanding of the critical data types required by business stakeholders. As this data is assessed, the organizations should then meet with business unit stakeholders to establish the value of this collected information. It is critical to have business unit leaders assist in this endeavor to provide an accurate understanding of each asset (data, system, application) value based on the time, effort, and resources it would take to replace it if it became unavailable due to a cyber-incident. This updated list of resources, with their prioritized value to the company, provides the organizations with a current view of what is required for the business to operate and the impact to that operation if breached. Now with a more refined look at the business’s security and risk requirements needs, it’s time to perform a risk assessment (ISO, NIST, COBIT) to establish a current exposure baseline. To plan this evaluation, the organizations will begin with using a risk management framework to assess all collected security information and identify any areas of vulnerability or potential exposure, and relating this data to ongoing business activities. Once the organization has completed this assessment, it can begin to develop its strategic plan. This living document will be used to move the organization from its current security state to a future security state where assessed security gaps are being addressed, and new services deployed. I recommend the following components of an organization’s Strategic Cybersecurity Plan: Declaration of the organization’s core purpose (generally doesn’t change over time). Incorporate a continuous security mindset into all aspects of our business functions. Statement about the business and the environment the security program currently operates in. we have seen the executive leadership team use this section to state its support of the security program and why it is critical for the business. The core of an organization’s strategic plan will contain the objectives identified during the most recent risk assessment that needs to be remediated. This section will include the latest assessment results and should have an ongoing project plan listing the various projects that are in the queue; each one should be tracked to a specific immature security control objective. Out of this whole document, strategic objectives are the part that will be continuously updated as projects are completed, and the organization is reassessed to establish its new risk baseline. In the past, I have organized the projects and initiatives into a three-year timeline. Understand this schedule can be shortened if funds are made available; plus, the list of multiple projects can be reorganized to meet current business needs or new threats. Each objective will have several actions/projects, derived from the assessment security gap data, which need to be completed. Here is an example of a cybersecurity strategic objective: Depending on your organization’s maturity, you may have several projects listed under a specific objective. We advise organizations to build the plan and manage the list of projects on an ongoing basis, providing a valuable report of business value to the executive team. Want help from NetPillar’s friendly experts, get in touch today.Where security practices meet business objectives
Mission statement
Vision Statement
Introduction
Governance
Strategic Objectives
Subscribe
