Back to BlogBuilding a Cybersecurity Program: Modern Cybersecurity Practices, Part 1
In this three-part series, we’ll share some insights from a cybersecurity professional with 18 years of experience in industrial network design and support, information and network security, risk assessments, pentesting, threat hunting, and forensics.
Blumira’s Account Executive Mike McCarthy interviewed Pascal Ackerman, the author of a new book, “Modern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization”. Ackerman is also Managing Director of Threat Services at ThreatGEN.
In this first installment, they discuss different challenges on the business side of implementing security programs.
Here’s a summary of a few of the questions and answers that may provide value when considering your organization’s overall security strategy:
What factors affect a company’s cybersecurity maturity?
The first factor is the level of support for a cybersecurity program. Unless your program comes from the C-level and driven by upper management, most will fail. If people want to implement cybersecurity they must convince their management or it’s not going to work. The next factor is, the level of commitment – are you willing to roll up your sleeves and get it done? You need to have dedicated people and awareness all the way to upper management.
How do you position security to get buy-in from the C-level?
The most successful way I’ve seen it done is to make this just another cost of doing business, similar to how you must have cars or maintenance of your trucks for the delivery of your goods. Security needs to become part of doing regular business. One way to show the executive what it’s going to cost is to explain the potential result of not implementing it – by using an example of a company that got hacked and how much it cost them to recover from it. Your budget should be close to that recovery amount in order to implement a good security program.
How do you demonstrate security progress to non-security people?
I always recommend a good security awareness program where you involve people with training and a lot of information. Using news incidents, you can point to other companies that were breached/infiltrated, then explain what went wrong, and what you’re doing to prevent it. You can publish the results from your awareness training (ask people questions, collect their answers), and at the end of the month, you can use scoring to see how well you’re doing month to month and year over year.
Stay tuned next week for the next two videos in the series!
Learn More
Live Webinar: Automating Threat Detection & Response – Join Blumira’s VP of Ops Patrick Garrity for an overview of how to automate threat detection and response with Blumira’s platform.
SecOps Simplified, Part 2: Security Tools – Is More Better? Are you maximizing your security tool ROI? How to perform better on pen tests and improve overall security on a budget by auditing effective solutions.
Seeking a SIEM Alternative? Choose Automation – SIEMs don’t have to be complex or difficult to manage. Security automation is the future of more effective threat detection and response.