This is part 1 of a series to teach small-to-mid-sized organizations how to navigate the complex world of cybersecurity, how to budget, plan for, and implement a cybersecurity program. This series will give you the tools to make the decisions needed that protects your reputation and your ability to do what you do best – whether it’s treat patients, help customers achieve their financial goals, run a state agency, county or city, educate children, or any other business. We will take you through the process of deciding whether you do it yourself or hire a service provider to handle it for you. We know this is daunting, but we’re here to help you navigate through the process using plain English. And do you want to know something? It can be done so that the cost is within the financial reach of most of those small-to-mid-sized organizations just like yours.
As the CEO of Assura, I am often asked why people are forced through laws, regulations, and directives to implement a cybersecurity program. The answer is simple. You really do not have to do cybersecurity. Nobody is holding a gun to your head to do anything. (Well, unless they really are holding a gun to your head right now. If so, you have bigger problems to focus on right now and should probably handle that instead of reading this blog.)
Now back to the topic. You’re probably shocked by that statement, especially coming from the CEO of a cybersecurity services firm. However, there is truth in that statement. You do not have to do anything. In fact, cybercriminals would prefer that you do nothing. I can hear what some of you are thinking right now, “Get real, Karen. The regulators are forcing us to do it or we can get hacked. We can’t delay it any longer.” That might be the case, but what I am trying to highlight here is that there is always a choice. What happens when people feel forced to do something? Do they step right up and get started or do they kick the can until the negative consequences of not doing something overpowers the benefit? The reality that I’ve seen time and again is that forcing someone to do something, they see no immediate benefit in doing, will only get them to comply with the bare minimum.I bring this point up because I have dealt with leaders from all walks of life. You name it: CEOs, government leaders, elected officials, and the list goes on and on. They are constantly faced with a long list of things they “have” to do and their auditors, IT executives, and other members of leadership are frustrated because they are advocating to get cybersecurity initiatives implemented because “the regulators are coming”.
The audit is coming! The audit is coming!
So, what’s the answer to resolve this tension between being told that you have to implement a formal cybersecurity capability and other, high priority business demands? Here are three that I believe can guide the way to the answer:
- Acknowledge the past and present.
The news is strewn with headlines about this data breach or that. They happen so frequently that it’s almost to the point of just being background noise. In fact, there is a whole site dedicated to tracking the daily breach headlines.
Ten years ago, the bad guys were going after the big targets like large banks, but it’s a different ballgame and even the smallest companies are targets. These days, the bad guys don’t care about size because it’s all a numbers game to them. They cast their net wide and if you get caught in it, it doesn’t matter whether you’re Bank of America or a small doctor’s office with patient’s protected health information. Cybersecurity is now the cost of business in all modern companies because every company relies on computers connected to the Internet to facilitate key business functions – even if it’s nothing more than keeping the books.
Time for decision is now. Decide if you want to avoid what is playing out (rather publicly) for other organizations. I have a feeling that most of you will decide that it is not in your best interest to continue to kick the can on cybersecurity. (Otherwise, why would you be reading this post on a cybersecurity website?) If that’s the case, then proceed to the next step. That said, I know that some people may need to process some additional considerations.
For folks still on the fence, I ask this: what does the constant fear, stress, and worry about becoming a data breach victim or coming under increased regulatory pressure buy you? If your answer is “nothing” and if it isn’t bothering you, then I give you the permission to do nothing. In fact, you do not need to read the rest of this blog post. Thanks for visiting.
- Think about the possibilities for the future.
For those of you still with me, I want you to think about a future. In fact, get a nice soft blanket and a warm cup of tea and think about what a world looks like with cybersecurity in your life.
- Do you want to push the “easy button” and just have someone handle cybersecurity for you and your organization?
- Do you want to appoint or hire someone to be guru of cybersecurity for your organization but don’t know where to begin or whom to select?
- Could a hybrid solution where you make decisions about your cybersecurity, but do not necessarily do all the heavy lifting work for you?
Each of these approaches have their own merit from cost, strategic, and operational standpoints. I’ll be discussing those in a future post in this series. However, if you have an immediate need to answer those questions, feel free to contact me through our Contact Us page and I’d be happy to talk to you about those personally. And don’t worry, it won’t be a sales pitch and I won’t even send you a bill.
So think about a future where your operations aren’t disrupted by some faceless attacker across the world, where you maintain customer/constituent trust, and where you aren’t constantly playing catch-up to satisfy regulators and auditors.
Not an effective cybersecurity audit remediation strategy.
- Develop a Plan of Action.
No matter what decision you make, whether you use a company like Assura or decide to develop your cybersecurity capabilities in house; the very first thing you must do is to create a Plan of Action. In the immortal words of Yogi Berra, “When you see a fork in the road, take it.”
The biggest mistake we see people make with cybersecurity is that they jump in without a plan and just start addressing “the low hanging fruit.” I like to call it Cyber-Whack-A-Mole. While some of that work can be done immediately, you need to follow a structured process that empowers key decisions to be made by leadership. Once you’ve made the commitment to build a cybersecurity capability, taking time to define the process, tasks, and resources needed to achieve your goals is the single most important thing you can do to guarantee the success of your effort.
Whether you decide to become a cybersecurity conscious organization or continue to kick the can down the road, just keep in mind that it is a choice you are making. Not doing anything is just as much of a choice as doing something. You are in the driver’s seat and you are making the decision. Just understand the potential risks and go in with your eyes open.