The Need for a Holistic Approach to Your Cybersecurity Program
We see it every day—another security breach causing exposure or theft of debit and credit card information, passwords, intellectual property, or personally identifiable information (i.e., Social Security numbers) and medical data. Breaches have caused millions of dollars’ worth of bad publicity and lost revenue, in addition to the growing cost of breach mitigation and service restoration. With high expectations from the public, and stringent regulations from legislative and industry bodies, never have the pressures on nonprofits been so great to protect their information assets, as well as those of the stakeholders they serve.
At (ISC)², we are working to build a workforce of well-trained and certified people who have the skills and capabilities to deal with cybersecurity challenges. Founded in 1989, our mission is to support and provide members and constituents with credentials, resources and leadership to secure information and deliver value to society.
Bad actors orchestrating breach attempts can fail thousands of times over, but they are relentless. Our global cybersecurity workforce has a small-to-zero margin for error, so the odds are not in their favor. Consequently, they need help from everyone in the organization.
As more organizations leverage cloud-based solutions and services, cybersecurity for nonprofits has become increasingly complex. How can nonprofits face the challenges of the evolving threat landscape? By employing a holistic approach to cybersecurity that continually accounts for financial, human and physical resources, along with outreach/oversight and politics/standards, nonprofits can mount a strong cyber defense.
Developing strategies for improving cybersecurity budget formulation and execution is paramount. It is also important to raise awareness that cybersecurity is a business enabler, and not a hindrance or money-pit cost center. Cybersecurity investments should be requested and managed on a project-by-project and business-unit-by-business-unit basis. A “one-pot-of-money” approach to funding seldom works because it fails to drive awareness of corporate-wide cybersecurity responsibility.
People drive the work, and without them a cybersecurity program goes nowhere. Organizations also need to invest in their cybersecurity workforce, and cybersecurity professionals need to commit to lifelong learning. Establishing cybersecurity as a responsibility of all employees is critical, and building cybersecurity desired-outcomes into all employee performance plans—including the C-Suite—is essential.
Leadership must constantly assess physical resource requirements and manage the delta between what is on-hand and what is needed to support a holistic cybersecurity program. For example, assessing IT infrastructure and corporate facilities, and performing ongoing data valuation and privacy assessments. As part of the assessment, there should be ongoing consideration of the right mix of capital versus operating-expense model solutions (i.e., on-premise/cloud and insourcing/outsourcing). To avoid solutions sprawl and wasted investment, it’s also important to align the acquisition of cybersecurity tools with enterprise architecture.
There’s a need for continual assessment to determine how well cybersecurity outreach is working with all stakeholders. The ability to communicate is key, and transparency is the best policy. The better we are with our stakeholder outreach, the better relationships we will have with our oversight organizations (e.g., boards, auditors and regulators).
From office politics to government politics, there are always implications to consider. Governmental, corporate and office politics are always in play and can represent change management benefits and obstacles. Even requiring standardized annual end-user security training or strong password standards can become political. Striving for standards can drive organizational politics, and political objectives can drive the need for standards. Never underestimate how powerful (positive or negative) the political dynamics can be, and how challenging it is to establish enterprise standards.
To establish and sustain a holistic cybersecurity program requires a comprehensive and understandable business value-proposition that is blatantly obvious to even the casual observer. Building a strong cyber defense means having a workforce of well-trained and certified people who are capable of recognizing and mitigating threats to information assets and associated infrastructure. The right complement of financial, human and physical resources working in concert provides the best opportunity for efficient, effective and sustained results. Meaningful cybersecurity programs do not evolve organically. Establish a comprehensive plan, and work the plan.