1. Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
- CEO and senior company leadership engagement in defining an organization's risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan. The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company's overall cyber risk. In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.
- Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can hurt IT security.
2. Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
- Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure they are relevant for their specific use cases.
- Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to "put out fires.
- Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.
3. Evaluate and manage organization-specific cybersecurity risks.
- Identify your organization's critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization's specific risk exposure—whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.
- Ask the questions that are necessary to understand your security planning, operations, and security-related goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security controls instead of inquiring about specific security controls, safeguards, and countermeasures.
- Focus cyber enterprise risk discussions on "what-if" situations and resist the "it can't happen here" patterns of thinking
- Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional practice. Often, there are only a few employees with subject matter expertise in key areas.
4. Ensure cybersecurity risk metrics are meaningful and measurable.
- An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.
- An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. There are too many variables in the number of alerts an SOC receives for this number to be consistently relevant.
5. Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
- It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents. Testing incident response plans and procedures can help prevent an incident from escalating
- Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.
6. Retain a quality workforce.
- Cybersecurity tools are only as good as the people reviewing the tools' results. It is also important to have people who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex organization's enterprise network, making retaining skilled personnel just as important as acquiring them. There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.
- New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding to threats in a manner consistent with industry best practices.
- Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity risks
- Cybersecurity is emerging as a formal discipline with task orientation that requires specific alignments to key knowledge, skills, and abilities.
7. Maintain situational awareness of cybersecurity threats.
- Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes). If possible, create a summary on the cybersecurity threats your organization has recently faced (e.g., phishing emails, malware, ransomware) for dissemination to personnel outside of your IT department to help reinforce their role in reducing cybersecurity risk
- Explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers or other government and intelligence programs.