To set up a good cybersecurity program, there are 7 steps you should take. They will make sure the cybersecurity activities that you define fit your business context, the particular risks your business faces and your level of risk-tolerance (how much risk you are willing to allow).
Identify overall business objectives and organisational priorities. This information helps you to make strategic decisions regarding cybersecurity implementations. It will help you to identify your most important processes and assets, so you know what you are protecting. And your attention can go to the most critical ones. Then, in further iterations of this 7 step approach, you continue including lower priority assets. In the long run, you should have all assets covered.
Once the scope of your cybersecurity program has been determined, the next step is to identify systems and information you want to target and find the relevant regulatory requirements. Identify threats and vulnerabilities related to those systems and information. Finally, define an overall risk assessment approach.
Now you can develop a current profile. Write down the outcomes you currently achieve compared to the list of NIST recommended controls. The current profile is basically an evaluation of your current security status.
Assess the current risk level. How do you determine risk? Keep it simple and start with a basic risk assessment process, which focuses on business impact rather than just highlighting IT security problems. Also, include an overview of existing security controls and the way they may already reduce risk.
Select the risks you want to deal with. Based on this selection, you determine your target profile. Down to what level of risk do you want to get your organisation? When you create a target profile, use the same techniques that you used for the current profile. The target profile will help you decide which additional controls you may want to implement.
The difference between your current profile and the target profile indicates the gaps in security that you want to fill. Determine the actions that are needed to apply the security program. Prioritise these actions based on criticality or other more practical measures in order to determine which controls need to be addressed first.
While the previous steps facilitate the implementation, in this last step you finally roll up your sleeves. The gap analysis provides you with a clear goal. You know what has to be done, and how. Now go get it done!
