Setting up a Cyber Security Program – A CISO’s Guide.

Have you just taken up the role of CISO in your organization? Are you charged with the responsibility of building or maintaining the cybersecurity program your institution? Quite frankly, I neither envy you or your role. Perhaps like @MattEastwood depicted in the picture below, the responsibilities you shoulder is likely to ensure you do not get that desired sleep.

 The internet today is awash with C-suite executives who lost their job on account of data breaches or cyber-attacks. Such is the importance/criticality of cybersecurity to an organization’s continued survival.

 In this piece, I share 3 basic tips that could guide a new CISO or anyone charged with the responsibility of managing Cybersecurity in an organization.

·       Know your Assets – as simple as this may sound, it has the capacity of embarrassing any CISO should the risks associated with it crystallize. Knowing your information asset is the bedrock for maintaining an effective cybersecurity program. I stated in my last piece that you cannot protect what you do not know to exist.  Therefore, complete visibility of your networked assets is critical.

·       Rank your Assets – a risk assessment of your asset will be in order. Ranking your assets helps you apply the appropriate amount of security needed in safeguarding an asset. You don’t want to be killing a mosquito with a double barrel gun.

·       Document Boundaries (Governance) – document boundaries for the operations of the cybersecurity program, be it in the form of policies, procedures or frameworks. There are several frameworks that can be leveraged on to guide their development – NIST, COBIT, PCI-DSS, etc.

While these tips are not likely to be exhaustive, other activities in the cybersecurity program like patch management, system monitoring, log management, logical access control, etc. draw their life from these foundational tips.  

Tony Ayaunor is an Information Systems Auditor and CyberSecurity enthusiast.