Cybersecurity program is a continuous risk mitigation strategy without an end point. The program and the risks must be openly discussed with the senior leaders and the board for visibility and appropriate funding & support. The program can’t be too rigid that hinders the organizational business and operational objectives; At the same time, it can’t be too lenient that put the organization at risk. Balancing these two acts is a key. Establishing key guiding principles that can be extrapolated by IT and business leaders to create policies and procedures to support the program are often viewed as the best approach. The collaboration between the security team and privacy team is a must for the balance and to give the end users the best experience.
Most organizations cybersecurity and privacy reported up to the two different executives. Having a mutual understanding and establishing a multidisciplinary executive governing body for both efforts can be very effective to make decisions and accept risks when needed. We are seeing more and more focus on end users experience in all industries and cybersecurity and privacy leaders are paying attention to become more service oriented as well. Here are some commonly practiced key guiding principles:
- Continuously reduce risk surface.
- Practice least privilege access to data and systems.
- Support business & operation needs while protecting the organization.
- Define data classification for data storage, sharing & deletion.
- Improve end users experience and compliance by leveraging technology.
Stay tuned for my next article regarding program frameworks/models…