These days, an organization’s cybersecurity strategy needs to address more than just antivirus scanning, patch management, and phishing training. To create a well-defined cybersecurity strategy, an organization must:
- align the organization’s ever-changing business priorities and structure to the underlying IT infrastructure;
- objectively assess the organization’s current cybersecurity maturity;
- define the organization’s risk tolerance and the corresponding desired maturity states;
- identify gaps between the current and target maturity states;
- set out a roadmap for addressing the gaps, based on organizational priorities, risk tolerances, budgets, resource availability, and other factors;
- determine a set of internal processes and procedures necessary to maintain the current maturity state;
- establish metrics by which the organization can measure, monitor, and assess its progress;
- describe how those metrics will be reported to the organization’s senior executives; and
- enforce the policies and procedures to create a cybersecurity-oriented culture that permeates the organization.
Creating Executive Cybersecurity
At Fathom Cyber, we call this kind of cybersecurity strategy “executive cybersecurity”, because it gives the organization’s executives the structure, tools, and information needed to take control over the organization’s cybersecurity without needing to become cybersecurity experts.
To have Fathom Cyber review your organization’s cybersecurity strategy, or to get advice on how your organization can achieve executive cybersecurity, please
contact us.
Don’t Just Focus on Dollars and Cents
Some vendors claim to give “business-oriented” reports because they associate a dollar value with a cybersecurity or data privacy risk. While this information has some limited value, the approach oversimplifies risk considerations that senior executives make every day. The organization’s leadership focuses on more than simply the dollars and cents impact of any issue. They take other considerations, such as mergers/divestitures or other anticipated organizational changes, pending or prospective customer contracts, and the ever-changing regulatory and legal landscape into account as well. So why should cybersecurity and data privacy information focus on dollars and cents?
Expect Truly Business-oriented Information
What the organization needs is the ability to understand the impact a particular cybersecurity or IT issue will have on the organization. Business-oriented cybersecurity and data privacy reports should, for any issue, be able to identify:
- Customers affected;
- Business units and/or back-office groups affected;
- Whose information (e.g., customers, partners, or internal) and the types of information (e.g., customer records, source code, or business plans) that might be affected, lost, or compromised;
- Impending organizational changes or initiatives that are affected; and,
- Where the IT staff needs help to meet its obligations.
Many IT and security organizations today struggle to communicate this fundamental information with their senior executives. That’s where Fathom Cyber comes in. We use proven industry standards, including the NIST Cybersecurity Framework, to create a comprehensive lexicon that allows the officers and directors to more easily communicate with the entire organization, including the IT, legal, and security staff.
Become Confident and Conversant
Proper, business-oriented cybersecurity and data privacy information is important because the world increasingly holds Officers and Directors accountable when data breaches occur. Take, for example, Europe’s General Data Protection Regulation (“
GDPR“), and
New York State’s 23 NYCRR 500. Under GDPR, when a data breach occurs organizations can be fined as much as 20 million Euros or four percent (4%) of the organization’s annual global turnover, whichever is higher. Shareholders have a history of pushing for senior-level management changes, as happened with both
Target’s and
Equifax’s senior executives, when their organization incurs such massive, unexpected and avoidable fines and costs. Similarly, Under 23 NYCRR 500, a senior executive or Director must personally attest that the organization has in place, and is executing, a well-designed IT and cybersecurity plan. Fathom Cyber’s comprehensive, business-oriented reporting gives officers and Directors the confidence to know that their organization is truly meeting all of its obligations and allows them to be conversant in the issues when institutional investors, proxy firms, or regulators ask for details. In short, we make cybersecurity and data privacy make sense
TM.
Leverage our Full Suite of Advisory Services
At Fathom Cyber, we specialize in helping organizations approach cybersecurity and data privacy from a business perspective. This includes board- and executive-level advisory and training services, as well as maturity assessments, cybersecurity and data privacy plan reviews, and other related advice. For more details about the services we offer, please
visit our Services page.
