5 W’s for building a cybersecurity plan

Written By JTI

If you’re new to security or haven’t read previous blogs, the Center for Internet Security (CIS) are recognized globally for publishing standards and best practices for securing systems and protecting data.

One of the reasons we love CIS is because they’re good at keeping things simple without sacrificing substance. Industry standards like the CIS Controls , which simplify the complexities of an effective cybersecurity program to an easy-to-digest list of 18 critical controls.

In a recent post, CIS came up with ‘5 W’s for building a cybersecurity plan’, which can help any stakeholder in an organization make cybersecurity conversations actionable.

Here they are:

Why?

Implementing security measures now could be less expensive than costs associated with responding to an incident later. You may have heard this before and shrugged it off, but emerging regulations and rising insurance premiums are showing that this is now a fact of life.

When?

Every organization is exposed to different risks, and impact from a potential incident could be negligible or catastrophic. So, if you’re not sure whether potential business impact leans toward negligible or catastrophic, there’s no time like the present to give it some thought.

Who?

Cybersecurity isn’t just an IT job. Just like finance, legal, or human resources, security has become an administrative function necessary in every organization. Cybersecurity experts can lead your security program toward desired business outcomes, but living and being secure day-to-day is everyone’s responsibility.

What (are your risks)?

Every organization has limited resources. You can’t stop every threat or completely mitigate every risk, so you need to prioritize. And, you can’t prioritize if you don’t know what needs to be prioritized. Things to consider:

  • Regulatory compliance requirements

  • What systems are critical to your business, and how would their failure impact revenue?

  • Costs associated with a data breach

  • Intangible impacts (e.g. reputation, morale)

Where (to get help)?

If you don’t have a cybersecurity program or plans in place, help isn’t hard to find. There are resources available to get you started like the CIS Controls, the NIST Cybersecurity Framework, or the CISA Cybersecurity Essentials. Additionally, seek advice or engage cybersecurity experts who can help you optimize your resources to mitigate maximum risk, and help you manage a cybersecurity plan with continuous improvement.

If you want to have a conversation with cybersecurity experts, contact us. JTI Cybersecurity will help you protect your organization, mitigate risk, and align security goals with desired business outcomes.

JTI
Previous

Update your stuff! Another CVE-2021-44228 Log4j PSA…
Next

Assessing cybersecurity weaknesses in electronic security systems.