Every company has implemented some form of security function to protect their communications network from threats that could impact the business. Individual implementations range from fairly basic to elaborate. A key factor for any successful implementation is that it continually needs to evolve to stay current with the ever-changing cybersecurity threats to your business.
Unfortunately, many businesses’ leaders view addressing network security issues as a “necessary evil,” where someone in the business is assigned the task of making the problem go away, and that is the last they think about it – until they encounter a major security event.
The most successful cybersecurity implementations are based on a few common denominators:
Cybersecurity is viewed as a strategic initiative within the business.
The cybersecurity implementation is based on a documented plan.
The cybersecurity plan is continually evolving to address the changing threat environment.
Fortunately, some companies are evolving their attitude and beginning to view cybersecurity as a competitive advantage.
Transitioning From Defense to Offense
One only needs to look as far as a company’s customers to find motivation for rethinking how and why you view your company’s cybersecurity strategy. Every customer wants to know that their supply chain partners will be there when they need them – reliable and consistent.
We have all heard of multiple supply chain disruptions due to cybersecurity attacks. There are a lot more that occur that never see the light of day, impacting companies of all sizes. These disruptions are typically measured in days, not hours, of lost production.
Suppliers also often have sensitive customer information that can be at risk – it is the supplier’s responsibility to protect that information. Security breaches can impact relationships up and down the supply chain.
Most purchasing contracts have always contained clauses regarding the protection of information and data. We are now seeing more aggressive actions by the government to secure their supply chain. The Department of Defense is implementing a program called Cybersecurity Maturity Model Certification (CMMC), which makes minimum levels of cybersecurity implementation mandatory for participation in their supply chain.
Proactively addressing cybersecurity can turn a “necessary evil” into a competitive advantage. Implementing a solid cybersecurity plan and then communicating that you have such a plan can reassure existing customers that they have made the right choice in choosing your company as a supplier. This can also position a company to secure new business by demonstrating a commitment to being a consistent and reliable partner and providing a differentiation that will take others time and effort to match.
Establishing an Advanced Cybersecurity Plan
An advanced cybersecurity plan involves more than the application of technology. It is more than writing and implementing a plan. It is a culture that needs to permeate a business, involving every person in the business and every outside person who interacts with the business.
Whether a company is early in the development of their cybersecurity plan or the company already has a viable plan in place, there are some valuable tools available to help assess your current plan and identify steps to strengthen that plan. The most comprehensive guide outlining a fully integrated cybersecurity plan is provided by the National Institute of Standards and Technology (NIST). This guide is comprised of NIST standards SP 800-171 and SP 800-172.
Additionally, many companies also are building their cybersecurity plan using the Purdue Enterprise Reference Architecture. The Purdue model focuses more on technology implementation, while the NIST standards provide a broader, business-wide view of cybersecurity.
While the cybersecurity plan needs to be optimized for the unique characteristics of each company, there are major areas of focus that need to be addressed in every advanced security plan. In subsequent articles, we will dig deeper into the common themes to be considered as part of a step-by-step process for building a comprehensive cybersecurity plan.
