Chertoff Group Principal and Head of Cybersecurity Strategic Advisory Services Adam Isles provides guidance for organizations on how to build a cybersecurity program that effectively defends against attacks. Determining how to measure a cyber performance baseline is the first step. Strong cybersecurity programs operate with a high degree of transparency, accuracy, and precision.
With this in mind, we can break cybersecurity investments into three categories: 1) controls that defend against threats in a particularly impactful way, 2) measures that validate that these controls are operating as intended and 3) capabilities that automate the other two.
Controls That Defend Against Threats in Impactful Ways
Where should companies start? In the same way that doctors use patient profiles to prioritize preventive measures, and diagnostics and therapies to manage patient-specific risks, we can use business profiles to help us understand the spectrum of potential threats. As with Covid-19, ransomware is a risk that applies universally, but some organizations (e.g., technology providers) also need to be concerned that they could be targeted as steppingstones into customer environments, as in the recent widely-reported 3CX hack. With this in mind, we can focus on controls that defend against those threats.
Read the full article in Harvard Business Review.