Cybersecurity is on the board agenda for all companies or should at least be there. Everyone understands the efforts needed and that demands are constantly rising. Hard work and significant investments are not enough. We need to take advantage of the lessons that others have already learned.
Working with cybersecurity isn’t like digging ditches. It is not enough to throw more participants into the security projects to get the job done faster. And above all, no better. Security projects that are not thoroughly planned will be costly and resource-intensive and impact their overall cybersecurity.
It feels natural to start extensive security projects to achieve quick results. Unfortunately, many organizations are in too much of a hurry to begin implementing solutions with specific cybersecurity products and services. The risk of a lack of cybersecurity due to ill-considered solutions is obvious.
There is an enormous amount to be gained by stopping for a while and examining what ready-made solutions are available. It is unlikely that the particular company or authority you are working on is the first to address the security issues that need to be resolved. By sharing available knowledge, it is possible to get better security solutions in less time.
It is about frameworks, regulations, and collections of specifications and instructions. The most famous collection is the ISO 27000 series. The NIST Cyber Security Framework is an American collection that is free to use. More specific collections, such as ISA, or IEC, 62443 to secure control systems and automation solutions in the manufacturing industry. Rating from SKR is a tool for the classification of IT systems concerning information security.
A framework that describes 20 key cybersecurity areas to control commonly referred to as CIS 20. See the descriptions as a valuable method to determine the current status of cybersecurity protection and help prioritize security work. The full name of the framework is The Center for Internet Security Critical Security Controls for Effective Cyber Defense. CIS 20 is easier to remember.
These are just a few examples; use them if you have not already done them. If you follow the instructions and check that the architecture and function comply with this type’s specifications, the safety work is going in the right direction. Building on standardized specifications can also facilitate communication between consultancy firms and customers.
Why is ‘help’ of this type not used more? Except that it can be perceived as very time-consuming and resource-intensive to take part in. One reason is that those who need the help do not know that it exists. But most likely, it is not perceived to produce any immediate results. Installing a new firewall gives the feeling that security is improving, which is not obtained by ticking off points in checklists.
It is an excellent advantage for a consulting company like my employer to work with customers who understand the value of accessing available knowledge. We know that we should avoid reinventing the wheel if customers also understand it; together, we can develop better results faster.
For organizations that want to take responsibility for cybersecurity, the benefits are just as clear. See the frameworks and specifications as practical tips on the end of cybersecurity work. Then you choose how much to rely on them along the way; you do not have to follow the specifications slavishly. They always play a role in verifying the reasonableness of the efforts made.
The result is better cybersecurity, cheaper and faster.