Updated: Nov 13, 2020
This blog post continues our series on Cyber Safety where we have explored various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives.
In this week's post we consider steps you can take to select which approach is best for you to start improving your cyber safety.
1. Evaluate Defences & Develop Improvement Roadmap
The framework or standard you choose depends on the risks your organizations are currently facing or anticipating. So the best place to start is with an assessment of what you want to keep safe, your safety goals, and your cybersecurity objectives.
To help you answers these we recommend first conducting a Cyber Resilience Review (CRR) which is a non-technical assessment of your current situation.
This review will provide the parameters you need to formulate an improvement roadmap you could work on in a stepwise fashion over time.
If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results.
2. Select Standard and Conduct Detailed Assessments
Conducting a CRR will place you in a better position to select a management standard that best suits your business if you don’t already have one. You will also know if and which detailed technical assessments may be necessary to address serious holes in your defences.
In our last post in this series we looked at three frameworks:
Cybersecure Canada Program - this is great place to start if your exposure to cyber risk is moderate and your organization is just getting started with a cyber safety program.
NIST Cybersecurity Framework - this framework has a strong technical component and best suits organizations with a significant sized IT component, infrastructure, and governance.
ISO 27001 - this family of standards is particularly useful for organizations that have already adopted other ISO standards where they can leverage existing management processes and infrastructure.
The results of a CRR will help you make a determination if which approach is best for you.
3. Develop and Implement Detailed Improvement Roadmap
Once a framework has been selected additional detailed assessments can conducted based on the kinds and level of risk identified in the CRR along with additional considerations suggested by the given framework. The goal is to:
Identify the risks that really matter.
Uncover strategies and plans that already exist that contend with these risks.
Evaluate if these defences are strong enough to keep what you value safe.
Develop a comprehensive improvement roadmap that meets your cyber safety objectives.
If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment and roadmap development process. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results.
If you are interested in having a cyber safety improvement roadmap for your organization please reach out to us.