We are living in the world where we are using many third-party suppliers to help an organization for example you might be using a cloud system Microsoft Azure or Google cloud or IBM HP so there are many cloud operators out there and you might be using one of them to host your data but remember you will not be able to shed your accountability of you performing a due diligence so you need to understand what you are legally bound to protect because the regulations across the world are becoming more and more stringent and things like GDP are or China cybersecurity law or the Indian cyber security law that is in the draft at the moment and there are very strict and stringent data disclosure laws that are available.
It becomes extremely important to ensure you have to understand the kind of information that you are expected to legally protect the third step is about understanding your company’s risk appetite so any control that you want to put the whole purpose of you placing a control is to keep the residual risk and equal to a risk appetite of the organization so what is the risk appetite the amount of risk an organization is to take so what kind of risks as our own organization I’m ready to accept and what kind of risks as an organization.
I’m not ready to accept and it becomes extremely important to define this risk capitate clearly so the operations teams that are out there understand this risk appetite for example if the risk appetite of the organization is not well defined and you found that some of the people who have left your organization still have their Active Directory IDs active and as your operations team didn’t understand your risk appetite they’ve decided that hey.
Let’s conduct a root cause analysis to fix the exact problem that is causing this IDs to be active and we keep these IDs active until we find the root cause and if your risk appetite is not clear that means until they found the root cause your organization is continued to expose to these kind of threats that are out there right so that is why it becomes extremely important to understand what is your company’s risk appetite so the controls you design are in line with the value creation they do to the business that is what is very important when you present a business case.
So that you can get your support from executive management for the security initiatives that as a cybersecurity leader you would you are willing to take for your organization the fourth important step is to understand your threat landscape okay most of the people will try to understand that hey my organization is very limited very small or medium scale organization I may not be dealing with millions of data but why would somebody would try to attack me because this is the common questions that we face from the business at the top level and very important thing is you have to understand that there are different motivational factors for threats and money is just one of them for example.
I’ve seen that some of these threats come from people especially if your organization is doing lot of carbon emissions so the people who are draw nature would like to do an attacks on your organization because they don’t want your organization to emit a lot of co2 gases or your organization has previously exposed some of these environmental threat factors.
They want to attack your organization so money may not be always the reason that they try to choose so you I have to have for example scan continuously the social media sites continuously scan the threat vectors so you can use threat modeling techniques like like you know you can do a social media like Twitter deck that helps you identify all tweets that are going on and helps you identify what kind of threats that are being discussed by these hackers out there or you can use various threat modeling techniques that might exist for your organization that is exposing data especially.
Now most organizations trying to expose this data with API is kind of tough application programming interfaces with rest and soap type of API is that’s being used you extremely need to be vigilant about your threat landscape so that you understand what kind of threats exist out there then you need to understand or build your strategic cybersecurity plan so you need once you know what are your threats what are your assets what kind of vulnerabilities they have so you have your threats you have your vulnerabilities.
What you need to basically calculate is what is the probability of this threat exploiting vulnerability and one of the things that I’ve seen organizations use is use red team’s or do penetration testing to actually confirm whether these vulnerabilities can be exploited by these threats that are out there and remember very very important thing is this is not a one-time activity this has to be periodic activity.
So that you as a business evolving you would like to see what kind of threats or vulnerabilities exist for example the amount of employees that would be working from home two months back would be probably around 10 to 20 percent but now hundred percent of your employees are working from home imagine that a new kind of threats that is exposed to you two if your employees are not so aware somebody might call and say hey I’m calling from help desk I sent you an email can you please click on this link because we see that your laptop is out of compliance many of your employees might fall prey for this.
They are not prepared or they do not know how to identify these new threats that are out there and they might just fall prey that kind of a phishing or spam emails or you know spam phone calls that are combined and can that can be initiated to launch the first phase or to do the first compromised which post which the organized the hackers can literally expand the hack and then they bring down the organization’s to its knees yeah so you have to build a plan so incident response plan is as important as these proactive steps we talked about because there is no question of 100% security out there there is no way you can completely bring the risk level to zero.
The only way is you avoid the risk that is you by not performing that business activity that means you are losing the opportunity of performing the business activity so that means that you cannot avoid the risk so that means you will not be able to be hundred percent safe but you have to keep the risks cyber risk at an acceptable level to the organization so you can perform the due diligence so you should plan for it always have a plan when the incident happens how you are going to respond.
It is very important to have a plan and also a value and test these plants regularly so your disaster recovery plans business continuity plans similarly a cybersecurity plan has to be tested frequently and evaluated so that you understand what are the weaknesses that you have in your plan and how you can go ahead and fix them so that your plan becomes foolproof so very important to at least do exercises like tabletop so that the interactions between your teams become very important because you should have on a typical cybersecurity incident you will have your network teams involved.