If you could put a CISO on your team for one week, where would they set your cybersecurity priorities? Pratum’s Jeff Hudgens gave his answer on a recent cybersecurity panel hosted by Iowa’s Secretary of State. Jeff, an experienced cybersecurity pro now serving clients as a Pratum vCISO, framed the advice he gives clients into two categories:
- 4 first steps for setting your information security strategy
- 5 areas to guide your cybersecurity priorities
4 First Steps in Cybersecurity Strategy
If Jeff were starting his own company today, he’d start setting cybersecurity priorities with these four fundamental steps:
1. Develop A Committed Mindset
Too often, Jeff sees organizations fumble the follow-through on their public statements about cybersecurity. Social engineering training provides a common example. “Leadership sets the tone,” Jeff says. “The C-suite can’t be exempt from testing or skip the training.”
Leaders also must commit to taking security frameworks seriously, which means choosing the framework that actually fits your business. “Controls are there because they’re right for your business, not just because they’re something you do to simply check a box. Make sure the controls you select are reasonable for what you do.”
2. Understand ALL of Your Assets
“Most people focus conversations around data, which is a key piece. But think about the systems the data is on.” Jeff frequently hears clients talking about protecting their data, but they balk at spending money to update the 8-year-old servers the data sits on. “You’re kind of stuck on what you can do with that,” Jeff says, “and you’ll introduce vulnerabilities around that.”
Staff time represents another asset to manage carefully. Jeff points to the example of a CIO who is personally making changes in Active Directory, which means the CIO ISN’T thinking about strategic direction. It makes business sense to invest in some entry-level help to free up leaders to lead the organization.
3. Let Your Actual Risks Drive Your Investments
“You have a limited budget for IT and security,” Jeff says. “If you’re not doing risk assessments and keeping a risk register, then you’re not using facts to drive your program and where you put your effort.” Make sure your program for identifying and ranking risks is driving your decisions.
4. Focus on Progress, Not Perfection
Set manageable goals. “I see a lot of organizations try to pack five years worth of work into a year and a half, and that just stresses the team,” Jeff says. He recommends turning a large portfolio of risks into ranked priorities that you can tackle and cross off the list. “Let’s just move the ball down the field rather than trying to score a touchdown.”
How to Set Cybersecurity Priorities
With the right first steps, you can turn to five areas that Jeff recommends as a focus for your limited resources.
1. Assess and Measure Risks
Start with a comprehensive information security risk assessment, which forms the cornerstone for your entire security program. During a risk assessment, an experienced consultant takes a deep dive into every corner of your information security approach, including written policies, software updates, employee habits and more.
Along with that risk assessment (which many companies conduct annually in order to keep up with changes in the organization), be sure to include ongoing vulnerability scanning and recurring pen tests in your plan. “Many people don’t put vuln scans and pen tests in the budget,” Jeff says. “But they provide some of the best returns on investment.” Vuln scanning provides automated recon that spots known vulnerabilities in your system. In a pen test, an ethical hacker acts like a threat actor and tests your defenses. Whether the test goes after your internal or external infrastructure, Jeff says you’ll get the most actionable information possible about your security posture.
He also recommends creating key metrics for measuring performance and potential risks over time, providing important benchmarks of your progress. (That kind of data is critical to securing ongoing budget for these tests.)
2. Develop High-Quality Policies and Plans
Many organizations lack written information security policies. And many policies are written in ways that are unenforceable. Jeff advises dedicating real thought to these key documents. “Think carefully about your policies. Make sure you cover what you want to cover. Make sure they’re actionable, but keep them reasonable and don’t let them get draconian.”
Jeff puts an especially heavy emphasis on developing a thorough incident response plan. “If I were focusing on one key piece, it would be an incident response plan.” A recent IBM study showed that companies that keep a written incident response plan and test it regularly reduced the cost of a data breach by an average of 55%.
3. Implement End-User Awareness and Training
Improving every employee’s security awareness clearly pays off, considering that about 80% of all data breaches involve some kind of social engineering. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work. Jeff emphasizes that organizational leaders should stop thinking of end users as the weak link in security programs and start enlisting them as frontline defenders.
4. Invest in Alerting and Monitoring
“If you can’t see it happening in your system, you can’t fix it,” Jeff says. That’s why he considers a monitoring solution such as SIEM essential—and a next-gen protection platform such as managed XDR even better. IBM’s study showed that organizations that had security AI and automation in place spend 80% less handling a breach.
5. Set Up Third-Party Vendor Management
Supply chain attacks have been growing exponentially for months. In attacks like the famous Kaseya breach of 2021, hackers slip malware into a supplier’s system, then let it quickly cascade out to all of their partners. And Jeff notes that small businesses shouldn’t count on their obscurity to protect them. Hackers often use small companies as their entry point into the larger companies that they serve through the supply chain.
To learn how Jeff or another Pratum vCISO can help set up your specific cybersecurity strategy, visit our vCISO service page.