9. Conclusion: Where Do We Go From Here? – CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Chapter 9. Conclusion: Where Do We Go From Here?

If you were looking for a comprehensive manual on how to create an enterprise cybersecurity programme, you were likely disappointed in this text.

There are many other extremely well written publications that address cybersecurity programme specifics. Rather, the intent here was to provide a roadmap for thinking about cybersecurity and the establishment of a successful cybersecurity programme through the prism of national and international standards, regulations, guidelines, and best practices and view these as a means to navigate the treacherous waters of an unpredictable cybersecurity environment.

As part of the conclusion, it might be useful to review a cybersecurity roadmap at a high level. So, let’s take a look at some of the most critical elements of a cybersecurity programme and how to get there.

Cybersecurity programme roadmap

Any cybersecurity road map has elements that cut across organizational cultures, business processes, and technologies. In other words, the cybersecurity roadmap must lead to the implementation of an enterprise-level cybersecurity programme. Here are some of the critical elements of the roadmap in review:

Start with the establishment of a cybersecurity governance structure that involves senior decision-makers as participants in the critical process of designing a programme capable of addressing the critical cybersecurity challenges.

Develop a cybersecurity strategy and the associated practices, policies, and procedures to address the full scope of cybersecurity. Where practices, processes, and procedures already exist, ensure that the organization maximizes reuse to ensure the most effective utilization of scarce resources. Cybersecurity should ensure that management expectations are considered and include concentrated efforts to influence corporate culture and cultivate an organizational awareness of appropriate cybersecurity behaviour.

Operate the cybersecurity programme based on risk management, not risk avoidance, based on a solid enterprise-wide risk assessment.

Ensure the cybersecurity programme participates in and supports critical mission-related business-continuity and disaster-recovery planning.

Define, collect and analyze appropriate cybersecurity metrics as part of establishing and articulating the ‘return on security investment’ to senior leadership in terms that are meaningful to the board.

Cybersecurity should be included in the organization’s capital planning and budget processes. Cyberattacks will undoubtedly continue to occur with potentially devastating effects on an organization’s operations, reputation, and potentially even existence.

Although this has not been discussed at length in the text, it is important to understand that cybersecurity does not stand alone as a security discipline. It is equally critical to ensure the integration of cybersecurity with other security elements in the organization, such as physical or personnel security. In many organizations, these programmes are entirely separate stove pipes, which may cause an enterprise failure to extend cybersecurity planning and programme elements to consider other assets that provide essential cybersecurity-related services.

Regularly review and validate the correct implementation of cybersecurity controls as part of the overall cybersecurity programme, and not only to meet internal and external compliance mandates. Cybersecurity programmes can take advantage of internal and external auditors to help determine the appropriate cybersecurity objectives and establish progress against those objectives.

Influence the organizational culture and increase security vigilance through a programme of cybersecurity training, awareness, and certification. Maximize the use of already-existing internal communication systems and training programmes to familiarize users with cybersecurity requirements and to enhance the achievement of cybersecurity compliance objectives across the enterprise.

Understand and prioritize the business and mission assets supported by the cybersecurity programme. Managing cybersecurity risk means knowing which business services are essential to the organization and how effective cybersecurity can contribute to their operation.

Establish processes that ensure the cybersecurity programme will be sustained and continuously improved. The use of maturity models to guide cybersecurity process improvement is one means to accomplish this.

The main thought is to review your own cyber environment, determine the known and potential cybersecurity risks, and invest in the time to see how international standards can support your enterprise. This is certain: standards present an opportunity to create a cybersecurity programme that will transcend national boundaries and establish a common language of trust.