A Strong Cybersecurity Posture Starts with Senior Leadership
Leadership often does not know the policies to implement but there are extensive frameworks they can follow.
Photo: putilov_denis, Adobe Stock
Note: The views expressed by guest bloggers and contributors are those of the authors and do not necessarily represent the views of, and should not be attributed to, Campus Safety.
Parables are a great way to tell a story. They use understandable scenarios to convey complex ideas. Parables are brilliant in their simplicity and enjoyable to listen to. To tell a child not to lie or exaggerate is one thing, but to tell them the story of the boy who cried wolf is far more impactful. Cybersecurity is ripe for a good parable. A simple story to convey the invisible truth of the cyber world. I would like to take a shot at an original parable. Please forgive me if it does not measure up to the emperor’s new clothes, or the prodigal son.
My parable concerns a tree. This tree is old and beloved by many over the last 100 years. It is tall, wide, beautiful, and graciously shares its shade with anyone in need. One day, the mayor of the town where the tree stands noticed it was dying. Its leaves were brown and falling. The mayor demanded action and hired the greatest tree specialist that could be found. They advised a comprehensive cleaning of all those ugly dead leaves that surrounded the tree. Workers came and ensured the beauty around the tree was restored.
The next day, the dead leaves were back and the tree looked worse than ever. Again, there was nothing to do but a thorough raking. This cycle repeated until the tree was completely dead. With heavy hearts, the townspeople cut down the tree only to discover a treatable disease in the roots. If they had only known, the tree could have been saved.
This parable is a parallel to our cyber security problem. The mayor is C-level leadership. Although the tree was the town’s, the responsibility to save it fell to leadership. Unfortunately, the mayor’s knowledge base was limited. The leaves are the usual cyber services companies resort to: penetration testing, vulnerability scanning, and phishing campaigns to name a few. Just as leaves have to be raked, these services must be done. However, without a good foundation, these services are like raking leaves around a dying tree.
The proper construction of an effective cybersecurity posture starts with leadership. Leadership sets policies the rest of the company must follow. These policies must be correct. More often than not, leadership does not know the policies to implement. There are frameworks designed to hand leadership those very policies. The NIST 800-53 Rev. 5 is the most extensive framework and one that companies should follow. After the policies are understood, procedures and guidelines can be written to ensure everyone is on the same page.
As a framework is being implemented, security debt will be discovered. Security debt refers to issues that a poor security posture can cause. Examples are servers that are no longer supported, machines that are not updated, and shared or weak passwords. A threat-hunting exercise may be appropriate to ensure the poor posture of the past has not let unwelcome intruders into the network. This debt must be paid immediately upon discovery. This transition can be costly but the alternative is far worse. A simple online search will explain the horror stories resulting from poorly implemented cyber strategies.
In conclusion, the only way to shore up your cyber defenses is through correct policies, procedures, and guidelines that must be followed zealously. Ensure you implement cyber strategies in the correct way — the survival of your tree demands it.
Dale Rothenberger is in charge of client services at The Valander Group, a consortium of business experts helping business owners with all their cybersecurity needs. Dale has over two decades of physical and cyber security expertise, applying his information technology, leadership, and OSHA experience to identify and reduce risks in the workplace.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Related Content
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
