BY KEVIN WETHINGTON
As I embark on my journey with ATC, I’m struck with the realization that I have spent most of the last decade in the enterprise space. At Deloitte, I worked with some of the world’s largest companies, and the scale was often incredible. However, now that my focus is more on the mid-market, where I started my career, it requires a paradigm shift. What works for a $40B global financial institution may not work for a 500-employee manufacturer… or will it?
As you likely surmised, the answer is, “it depends”. There are certainly some things that are likely to apply across all organization sizes and industries. But, at the same time, other areas of cyber could be vastly different based on the attributes of the organization.
Perhaps I’ll focus on some differences in the future, but for now, here are three areas where I’d begin (or begin again) if I were responsible for a cybersecurity program today, regardless of the size of the organization:
- Apply Governance 🗳️
Governance is the ideal place to begin. I think the temptation is strong, particularly in smaller companies, to quickly jump into purchasing a tool or service. Instead, I recommend taking a step back, applying some basic governance (policies, procedures, standards, roles/responsibilities), having a strategy, and building a roadmap. Most organizations can’t do it all at once, and it makes sense to be intentional and prioritize your cybersecurity maturity journey.
- Start Cybersecurity Awareness and Training 📘
Users are at the heart of protecting environments. Start educating them as soon as possible. Get them to learn the terminology, the risks, and how to improve their ability to spot malicious intent. Several excellent technology providers can help with this—some even make it fun.
- Focus on Organization Risk 🧑🏿💼
Once governance is applied, there’s that question of priority I mentioned above. The best way to approach this is based on risk. You’ve probably heard about GRC (Governance, Risk, & Compliance), but did you know it’s vital to a good Cybersecurity program? Determine your critical business processes, quantify them, and then use that to guide your decisions about where to spend money to protect everything that impacts those business processes first.
Fairly straightforward advice and not the only way to approach it, but a solid plan from my perspective and experience. Of course, these all scale to any size of an organization. For example, you don’t have to spend months and millions to build a GRC program but make sure you understand your critical business processes.