So it looks like the broader business community is getting religion on cybersecurity--and it's about time. Organizations are finally considering the impact of not just regulatory oversight, but also of the true price of bad press. After all, what would you want to pay in order to keep your company name out of the headlines.
The cybersecurity game is all about risk management; assessing the liklihood of something happening, deciding what the consenquenses and cost of such an event might be, and weighing all that against the cost of various countermeasures that your organization might invoke to protect against the threat.
So if you've decided it's time to get down to really building your cybersecurity program, one of the place you can start is with the assessment. This naturally means understanding a couple of key issues; what is your risk tolerance as an organization, and how well do your internal processes stack up against a defined standard or security framework.
There's lots of options out there for frameworks to choose from, but it's always best to consider what organizations similar in size and complexity to your own are up to. For those who go the ISO route, consider ISO 27000-series security frameworks. If your organizational focus is more in North America or if you are a smaller entity looking for a good standard that's easy to understand and actionable, consider the NIST framework.
Oh, and don't think of this as a once-and-done kind of exercise. Your organization should design and implement a regular review/renewal cycle of risk assessment. Keep on top of what concerns you the most because you'll find that over time, the threat environment evolves--something rapidly. And when the chips are down, that's NOT the moment to start thinking of ways to address risk.
Seeing risk for what it is
