3 Proactive Steps to KISS Cybersecurity Woes Goodbye
By Stephen Recca, M.A., Program Director for Homeland Security
How secure is your business from a cyber attack? If your organization is attacked, what will you lose, both in the attack and in the aftermath or recovery? How does a company measure its preparedness – and balance defensive and operational resources – for a concerted effort to steal or disable operations? None of these questions are simple, no matter the size or value of the organization. But, ignoring the questions, and failing to prepare, could lead to disaster.
Cybersecurity concerns – perhaps, all things related to the cyber domain – are here to stay. So, the core question really becomes one of how to approach the challenge of securing our businesses, governments, organizations, and families in an operating space that we depend upon 24/7/365, while our understanding of the information domain is so poorly understood.
In the world of security and defense, the general rule is to keep things simple whenever possible. Train to the lowest level, and then bring everyone up together – slowly. The Marine Corps, for example, tends to be very good at training young Marines with a basic approach: tell ‘em what you’re going to tell ‘em; tell ‘em; and then tell ‘em what you told ‘em. This is a time-tested, successful variation on the Keep It Simple Stupid (KISS) principle. It’s not very flashy, but it gets the job done.
In homeland security, and particularly when dealing with the fall-out from a crisis situations – natural or man-made – planning is a key aspect of success. To deal with the complexities of planning for a wide range of threats and disaster scenarios, the security community has borrowed liberally from military’s approach to planning and emergency preparedness: keep it simple. Sound familiar? Also borrowed from the military are two infamous truisms: no plan survives first contact with the enemy; and – in the heat of battle – the plan is nothing, but planning is everything.
As ominous as it seems – and, as vaguely understood as it is – Cybersecurity is no different in this respect. In preparing for negative situations – cyber-attacks, crimes or disasters of all stripes – success depends on the how. How we plan, how we exercise, and how we adjust and innovate makes all the difference. All organizations would benefit from taking these proactive steps:
Build a plan. Take stock of business or other activity; understand your enterprise value; analyze the likely threats (criminal, malicious, or natural disaster); and, develop protection, preparedness, response, recovery, and mitigation measures. All of these features are essential elements of a basic plan. The good news: there is considerable overlap between these security elements and how businesses – for-profit and not-for-profit – must and do approach their markets.
Exercise the plan. Now that you have built a cybersecurity plan, your work is done. Well, maybe not. Remember planning truism #1 above. Rather than allowing the plan to become shelf-ware, and gather dust and irrelevance, successful organizations test – or, exercise – the plan on a regular basis.
Fix the plan. A common misperception is that these tests or exercises are meant to validate the existing plan. Au contraire! Exercising the plan – if done correctly – will highlight the weaknesses and gaps that need to be addressed. Success in fixing the plan implies that organizational leadership rebukes a zero-defect reward system and embraces an atmosphere of open dialog.
Build the plan, exercise the plan, fix the plan. Repeat. Let’s take the mystery out of cybersecurity through a thoughtful, measured approach, and KISS some of angst around cyber goodbye.
Photo credit: ComputerWorldUK
Stephen Recca, M.A., is Program Director for Homeland Security at Colorado Technical University. His background includes assignments with the Central Intelligence Agency, State Department, and Department of Defense. Follow his tweets @CTUHomeland.