Additional Thoughts 11/28/2018
It's budget season for organizations and municipalities planning cybersecurity for 2019/2020
I just walked out of a meeting with an Atlanta area municipality and the conversation turned to 2020 budget season. The Director of IT made a point of saying the City of Atlanta breach referenced below did raise awareness for him and his peers and the need for maintaining a clearly articulated cybersecurity program. This awareness has loosened up some additional budget to fund some cybersecurity initiatives. However, he also made a point of clarifying this doesn't mean unlimited access to funds. As I wrote about below in March, it reinforces the importance of having a clear plan laid out that can effectively communicate the program, the gaps, and the progress made year over year with the additional budget being used to fuel initiatives.
Living in the city of Atlanta, we have seen first hand what happens when an organization is not aggressive in addressing known vulnerabilities within their infrastructure. There are plenty of reasons why organizations are slow to act with a lack of budget and resources being at the top of the list. In today's world where threats are constant, it is no longer just "Name Brands" that are being hacked.
Organizations must fight for the budget to mitigate risk or they are putting their head in
The challenge for many organizations is how to start a Cybersecurity Management Program
There are thousands of cybersecurity tools out there that say they can make you more secure. Organizations must build an ongoing Cybersecurity Management Program in order to communicate with their investors (be it a corporate board or taxpayer). Auditors, cybersecurity consultants
For many organizations, auditors and consultants play a fleeting role. Once the audit is complete, they provide a report of their findings aligned to a control framework like NIST or ISO27001 and move on to the next account. These reports (like the one received by the COA) often provide glaring insights into the gaps in an organization's cybersecurity posture. Unfortunately, without ongoing oversight or political will to invest in changes, these reports get put in the drawer when the next organizational fire drill takes precedence. Without an active, ongoing Cybersecurity Management plan with transparent executive oversight, many organizations are able to collectively "put their head back in the sand" and hope and pray that nobody exploits any of the known vulnerabilities.
For organizations taking on this challenge, you start with a living, ongoing plan, with action items that move the organization forward. Just like any SMART goals, if your organization isn't writing them down and collectively assigning ownership, they will not gain momentum. Every organization has areas within their cybersecurity program that can be reviewed and improved.
Executive Committees want more insight into the organization's cybersecurity posture
CIOs and CISOs are becoming the new guest star at the Board Meeting.
"Sunlight is the best disinfectant." Justice Louis D. Brandeis
Originally posted April 3,