Getting from “we need” to “we have” a cybersecurity program is an investment in time and resources that’s well worth the effort.
Implementing an effective cybersecurity program should be a top priority for every organization. But, depending on size, industry, and other factors, cybersecurity requirements are going to vastly differ from one organization to the next. How do you get from needing a cybersecurity program to having one? It takes a systematic approach. Here are some suggestions to get you started:
Information Security is not Cybersecurity
Every organization is going to speak a different language when it comes to security. What is important is that within each organization everyone speaks the same language. To level-set on what cybersecurity means, you have to first and foremost define what it is to your organization.
Contrary to public opinion, either inadvertently or not, “Information Security” and “Cybersecurity” are not the same thing. In fact, if you take a deeper look into both disciplines, it is clear that there are actually significant differences between the two. Essentially, InfoSec is anything involving the security of information or information systems regardless of state (e.g. physical = paper | digital = database). Cybersecurity is anything involving the security of information or information systems in a digital state (e.g. database, financial systems).
Based on this understanding, it is quite reasonable to say that cybersecurity is in fact a subset of Information Security. You have now defined what cyber security means to your organization: the elements of InfoSec that are designed to safeguard digital assets and systems.
Laying the Groundwork
Your next step is to build on your definition by establishing a foundation for your program. In doing this, you don’t need to re-invent the wheel because there are several well established industry frameworks available to you, such as COBIT5, or the National Institute of Standards and Technology (NIST) Cybersecurity Framework which, in my opinion, provides the best foundation for a cybersecurity initiative.
As you work through your framework, you will probably find that many functions, categories or subcategories aren’t easily translatable into your organization. From this point, you’ll need to establish a correlation between the framework and your operational services. The Information Security Forum (ISF) Standards of Good Practice for Information Security provides an excellent reference for this exercise, after which you can figure out which operational services align with the scope of your cybersecurity definition. While working through this exercise, it is important to recognize that there are operational services aligning with your program that are supported by IT and/or business lines such as asset management, directory service administration, or software inventory.
Pulling together costs
You know what cybersecurity means to your organization, you’ve established a program using recognized industry frameworks/standards/etc., and all operational services have been aligned. It should be no surprise that at this point, executive management is going to ask the million dollar question: “How much do we spend on cybersecurity?”
No sweat! Having already mapped out the operational services that align to cybersecurity, you are in a much better position to justify your resource and operational budget allocations. However, from the granular perspective of operational services, presenting a breakdown of your cybersecurity program costing can be overwhelming. This is where the framework for operational service mapping comes into play.
At the highest level of the cybersecurity program are so-called ‘Control Objectives’ like ‘Security Operations’ or ‘Incident Management.’ Within each of the Control Objectives is where you find a subset of unique ‘Control Selections’ like ‘Secure Awareness Training’ or ‘Malware Protection Software.’ At the lowest level, within each Control Selection is where you have the many-to-many mapping of operational services like ‘ID Provisioning’ or ‘Web Application Protection’.
Your operational services all come with a total service cost separated into either overhead (people) or operational (software/hardware) expenses. For the total number of times an operational service is mapped into a Control Selection, you must divide that number into the total service cost. Using the mapping of Control Objectives, Selections, and Services you are now equipped to demonstrate the overall cost of your program.
Bottom line: Getting from “we need” a cybersecurity program” to “we have” one requires a serious investment in both time and resources. But once you’ve come to the end of the process, you will be able to say “Here’s how much we spend on cybersecurity” – and have the hard numbers to back it up.