It’s no secret that data breaches and other cybersecurity threats are in the news on a regular basis.
Many of our clients and other companies are growing increasingly concerned about managing these risks, but through recent work with clients in this space, we’ve found a number of best practices that can help companies implement and enhance their cybersecurity strategy. A proactive approach can help manage and mitigate risks to data security in the event sensitive customer data is breached and exposed. It will also help confront the threats that ransomware poses to business continuity, as we’ve seen with the recent attacks on the Colonial Pipeline and the JBS meat processing plants.
Below, you’ll find a few things to keep in mind when implementing a cybersecurity strategy.
Prioritize “Quick Wins” when Tackling Cyberthreats
First, it’s important to identify the most threatening vulnerabilities and design a strategy that provides a high ROI for those vulnerabilities. Penetration testing (a simulated attack on a system to evaluate its security) can help companies identify vulnerabilities before it’s too late, but unfortunately, many vulnerabilities aren’t identified until after they’ve already been exploited.
One of our current clients detected a breach in 2018 and quickly realized how exposed they were – due to a flat, open network, threats could easily spread throughout the network. Upon recognizing this, they moved quickly to secure the support and investment necessary to overhaul the network through a segmentation strategy that would prevent threats from spreading. We helped this client design, plan, and implement a phased approach to network segmentation, with “quick wins” purposefully built into the first phase. In particular, this meant prioritizing the deployment of next generation firewall hardware to almost 30 of the largest sites in its network. By regulating traffic between these sites and the client’s data centers, these new firewalls dramatically reduced a threat’s ability to spread throughout the network. The lead engineer for this project once told me that 80-90% of the project’s overall value was derived from these new firewalls because they helped cordon off the largest sites from one another. More complex aspects of the network segmentation program were built into the later phases of the new strategy because they were more challenging and less rewarding than the deployment of these firewalls.
Pave the Way with Executive Sponsorship
Executive sponsorship is critical to the implementation’s success; it paves the way for stakeholder buy-in and active support across the organization. For the clients I’ve worked with, vocal support from the Chief Information Security Officer, other c-level executives, and the Board of Directors has helped align a broad cross-section of stakeholders with the goals of the cybersecurity projects. These projects frequently come with growing pains, tradeoffs, and “sweat equity” on the part of these stakeholders, including planned network maintenance, outages, and downtime procedures. Sometimes the stakeholders immediately recognize the value of these sacrifices without much persuasion, but there are other times when it helps to know the organization’s executives are fully (and vocally) behind the initiative. If the executives are willing to underwrite those sacrifices, then it ensures other stakeholders’ willingness to assist.
When implementing a new cybersecurity strategy, stakeholder skepticism and other “bumps in the road” are inevitable, but executive support increases the likelihood that challenging stakeholders will view the changes as a matter of “when, not if.” They’re more likely to move from a position of reluctance towards partnership and collaboration. Ultimately, executive sponsorship helps accelerate the implementation of your cybersecurity strategy by clearing some of these potential roadblocks within the organization
Learn from Early Mistakes and Failures
You should “walk before you run” when implementing a new cybersecurity strategy. It is critical that organizations learn from early “mistakes” in their cybersecurity strategy to improve the implementation down the road, which means they also need to set and manage expectations accordingly. Growing pains are natural and can be constructive for the implementation in the long run if all stakeholders are prepared for them. For that reason, pilots are vital to the overall effort. Focus on smaller, less risky sites to test and refine technologies that are new (and unproven) in the organization. Then gradually build up to larger sites as stakeholders build confidence in the technology and the implementation more generally.
By design, pilots are learning opportunities and need to be messaged accordingly (so stakeholders appreciate and understand the educational value of “failures”). It helps to identify “friendlies” – allies with whom you already have warm, trusting relationships. They will partner with you to pilot various aspects of your cybersecurity strategy, but because the growing pains are inevitable, they will need to demonstrate a collaborative, pragmatic patience.
A couple years ago, we were implementing a new cybersecurity technology at one of our client’s sites (that was operational 24/7), and the unexpected impact was 4+ hours of interruptions to their phone service. We had to back out the implementation and return for a second attempt (at a later date). When we returned, it took an additional 4 hours of impacts to the phone system to determine and correct the underlying problems. The strong relationships we had with the site’s leadership ensured a willingness to push through (and not give up on) those challenges. Ultimately, the implementation was a success at that pilot site and gave us valuable experience that we would carry over to future sites.
As you would hope and expect from a pilot, lessons learned from the implementation at this first site improved the user experience for future sites, including minimal downtime / outages for phones and other systems on the network. If you’re willing to “fail fast” on a small scale, you can gradually build momentum and avoid higher-stakes failures later (on a larger scale).
Build on Existing Relationships
Finally, it’s important to build an effective partnership with the business side of the organization. For example, you can take advantage of formal, existing relationships between IT and end users. Identify allies with close relationships to the business side of the organization (someone who can help facilitate change and implementations). For one of our clients, the role of “Business Relationship Manager” (BRM) opened the door to strong, trusting relationships at many of the sites where we were deploying new security solutions. Strong partners like the BRMs can help you navigate the power structure and varying organizational dynamics as you implement your cybersecurity strategy from one site to another. Not only do they know who the “influencers” are, they are also familiar with the broader technical context that could prove critical to the implementation’s success at that site. For instance, is there a legacy technology that has been problematic lately or especially sensitive to network changes? Are their unique architectural details that might make the site one of the more challenging “snowflakes”? By providing some institutional memory, these are questions that the BRMs could help us answer.
Perhaps most important are the existing relationships BRMs have. They are a trusted advisor when the Project Manager and others on the project team might be completely new and unfamiliar faces. The relationships the BRMs have with the sites increase the likelihood that users will collaborate and partner with the project team to implement the new cybersecurity solution. The hallmark of an effective partnership is when the users view cybersecurity as something that’s being done “with them” and “for them” (not “to them”). The BRM helps lay the foundation for that mindset. We also found it useful to point to cybersecurity events in the news to raise awareness about cybersecurity threats and the risks of inaction. This gives everyone a shared, meaningful purpose for investing time in the implementation.
Cybersecurity is mission-critical for effective organizations in the 21st century. By working with our clients to shape and deploy new cybersecurity solutions, we have learned a few lessons along the way. It is important to remain agile and flexible: what works for some implementations might not work as well for others, so you constantly have to tweak and adapt your approach to make strides in the organization’s cybersecurity defenses.