Management and Cyber Security

Managing a cyber security program requires understanding a broad set of areas. The program entails more than just managing a security team. A structured Information System Security Plan (ISSP) is a way to ensure all parties are informed and involved in the needs of the organizational security process. The ability to evangelize the plan upward and downward is an essential skill for a cyber security professional.

Audit and Compliance

As with any implemented program, you do not know if it is working properly unless you perform an audit. In many industries, there are compliance requirements that must be upheld to ensure security. HIPAA in healthcare, NIST and FERPA for government organizations, and ISO for other organizations are just a few Compliance standards governing organizations. The document below describes the steps an organization can take to audit its controls against known standards and presents a framework and conclusion to management.

Business Continuity and Disaster Recovery

Business Continuity (BC) and Disaster Recovery (DR) are sometimes used interchangeably. While these two terms are intertwined, they provide different functions in the event of a business interruption. Business continuity seeks to continue business operations, even at diminished levels, in the event of a disaster or other operational impacting event. Disaster recovery is the process of getting the organization back to full operational levels after an event has occurred. The presentation below walks upper management through both BC and DR operations.

Cyber Security Return on Investment (ROI)

For a cyber security program to be successful, it must show a measurable ROI. Spending $2 million to secure a $50,000 asset does not provide a good ROI. While cyber security ROI is difficult to quantify using standard financial models, looking at cyber security in a qualitative manner can provide leadership with accurate and measurable ROI numbers for better decision-making. The paper below discusses how organizations can make these ROI determinations.

Reflections

Not all executives are well versed in cyber security operations and costs. As a cyber security professional, it is my duty to explain to leadership how an Information System Security Plan (ISSP) is necessary for the security of the organization. Conversations around funding, ongoing budgets, BC, DR, and, ROI can give leadership the data they need to make effective decisions. Ensuring that leadership is apprised of compliance requirements and the costs of implementing those controls is part of a cyber security professional's job description.

Strong ethical leadership is necessary for managing these systems. This course taught me that the most successful cyber security professional is the one that can be absent for a period, and the program continues on without them. Planning for any event and ensuring that the organization can continue is paramount. Regular audits and reviews help strengthen the program and point out our weaknesses before they become vulnerable. Security is the responsibility of everyone; however, a good cyber security professional enables the organization to weather any adversity.