There’s a misconception that Information Security (or cybersecurity if you want to call it that) is a technology problem, requiring a technology solution. It isn’t!
The result is that the folks who understand risk best (the Board, senior management) delegate to folks who don’t have the full picture – or worse to IT vendors who’ll happily sell you a “solution”.
Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
You need a Risk-Based InfoSec Strategy
A true Information Security strategy doesn’t have to complicated, or technical. But it must:
- be aligned with the Board’s appetite for risk
- derived from true risks as perceived by Management
- conform to, and take advantage of, the corporate culture
- define risks in business terms (reliability, cash flow, etc.)
- address resilience and mitigation, not just risk avoidance
- be actionable, and have achievable goals
- take into account the human element
- be the foundation for a culture of information governance and security
But we’re not a bank! (or e-commerce firm, or…)
Do you have employees? Customers? Get paid? You are at risk.
But we use [insert pet technology here]!
See my intro above about this not being a technology problem.
But we’re a small business!
But you want to stay in business, right?
I can help you:
- Build an Information Security Strategy that aligns with your business objectives
- Design a Risk-Based Governance Framework and controls
- Develop an implementation plan
- Develop a Security Response Plan
as I have build and implemented effective and successful security strategies for small firms and non-profits as well as multi-billion dollar enterprises. I also have access to an extensive network of high-caliber security advisors and practitioners that I can recommend.
Additional Reading
Breach Du Jour
The Hackers Who Breached Neopets Were Inside Its IT Systems for 18 Months – 2022