What is a cyber security program?

Over the last few years, with the seemingly regular occurrence and publication of breaches, loss of data and other “cyber” security-related events, organizations have developed and implemented cyber security programs of various shapes and sizes.

Again, a cyber security program is a documented set of your organization's information security policies, procedures, guidelines, and standards. Your security program should provide a roadmap for effective security management practices and controls.

How can I make sure my program is effective?

Building a Cyber Security Program is not the end all. It’s only valuable if it provides you reasonable protection against the various cyber threats that exist. Organizations should not be satisfied with just having a program – they need to make sure it is functioning as designed.

We recommend a two-pronged approach to evaluate your Cyber Security Program:

(1) regular internal testing and;

(2) regular external testing

Regular Internal Testing

Remember the days of testing your Disaster Recovery Plan? Or, more recently, testing your Incident Response Plan? You should be regularly testing your Cyber Security program as well as these other plans (you ARE testing these other plans, RIGHT?). The testing can be conducted in a variety of ways – depending upon your industry and business needs, including:

• Regular phishing emails as part of security awareness training;
• “Tabletop” exercises where an “event” is identified and the organization’s response to the event is acted out. This can be more valuable than you think – it forces the various business units of organizations to come together and discuss the impact holistically and typically leads to regular modifications of the program as conditions change.
• Periodic vulnerability assessments using third party tools/services to review potential gaps in public facing endpoints and;
• Red Team vs. Blue Team exercises – where the Red Team are the hackers and the Blue Team are the defenders. We generally see this type of exercise in larger organizations; although it is not uncommon for smaller organizations to subcontract the service to some extent.

The type of internal testing you choose should fit your business model and, most importantly, be a direct result of the risk assessment you have built in concert with your Cyber Security Program.

Regular External Testing

In addition to internal testing, you should regularly engage an external third party to perform an examination/assessment of your Cyber Security Program. Under this arrangement, the third party will conduct the examination by comparing your program and Cyber posture against generally accepted standards such as SOC 2, NIST, ISO, etc. The benefits of such an examination are multiple and include:

• Having an independent assessment performed that is not clouded by internal prejudices/biases;
• Differentiating your organization from competitors by demonstrating to your external shareholders your commitment to ensuring the security over your operations and their impact to suppliers and customers and;
• Leveraging the knowledge and experience of third parties as to best practices in cyber security based upon their involvement with other organizations.
• Building successful relationships between entities and their third-party business associates.

Regular testing of your Cyber Security Program is a must in today’s environment. Need help in developing and implementing the appropriate testing approach for your organization? Reach out to a member of our Information Security Services Team.