Cybersecurity Program Coaching

 Every institution should have an ongoing

hashtag#cybersecurity program.

Technology changes, the way we use technology changes, threat actor behaviour changes, systems and services go out of support and compliance requirements change.

For example in federal government in Australia the Information Security Manual is updated on a quarterly cadence and material changes are made to controls and coverage requirements.

The expectation has been set that you need to be running contemporary technology configured to industry standards run with best practices.

You cannot be expecting that operational personnel do more than incremental process and technology improvement.

Cybersecurity is not a “solved problem” like say “fire” with fire detection suppression EWIS, drills, mature standards, fire fighting and ubiquitous reliable insurance cover. It requires constant adjustment to get it right for the organisation.

A well running program will be:

1. Regularly delivering risk reduction outcomes on at least a twice a year cadence.
2. Have “non-lumpy” spend and a three year commitment from management on ongoing budget and hopefully a slight downward trend in spend
3. Have a tactical stream of work to execute on opportunities to reduce risk arising from audit issues, observations and changes to technology
4. Have one to three strategic streams of work potentially aligned with security transformation to help the cyber team deliver more effectively or delivering risk reduction in a known control domain or an outcome to enable the organisation in a non security manner
5. Running a planning session well prior to the beginning of the calendar year to develop candidate work packages for prioritisation by the steering committee
6. Aligned with the organisation’s overall and IT work cadence so that change management considerations do not derail regular delivery outcomes
7. Give project managers a “project on a page” document with scope and outcomes to enable them to develop a more detailed project scoping document with their team
8. Run a risk register with primarily delivery related risks to be actively managed so that delivery does not “stall on a known speed bump”
9. Be advertising and promoting the program with a “catch phrase” an “elevator pitch” for each stream of work and collateral describing the program and its successes on an intranet page.
10. Have a register of key stakeholders and schedule regular contact between the right people in the program and them
11. Consider external stakeholder impact from each project and stream of delivery and “batch request” information and activities on a program wide basis so key stakeholders are not bombarded with agenda less meeting requests

Security coaching for non profit organisations

 When smaller organisations don't know where to start with

hashtag#cybersecurity they generally have these options available from the market:

1. Get a pen test done and do technical fixes as recommended on critical issues. Surprise - its probably patching and secure configuration aspects
2. Do a desktop based assessment performed to a selected standard and do critical fixes as recommended. Surprise - its probably creating or updating some policies
3. Technical training of their IT team so they have a clue. Surprise - it's probably funding self study and certifications.
4. Security awareness training of their personnel so they know what modern scams and digitally enabled fraud looks like. Suprise - it's probably non engaging elearning.

Unfortunately none of these immediately helps them provide a lasting step change in their cybersecurity risk posture or set them on the path to continuous improvement. Here are a few paths forward that might not have come to mind:

If you are a small organisation and have a decent attack surface to protect to look at procuring a capable attack surface management service which will provide you with continuous discovery and vulnerability scanning of your brand's digital assets and alerts on exposure outside of your risk tolerance. (These systems "feed themselves" and provide you with many of the benefits of an annual penetration test every day)

Consider looking at aligning your operations with "common sense" IT hygiene and security standards starting with offline or immutable tested backups, keeping your operating systems and applications in support and applying patches on a routine. Have a look at the CCMLite https://cloudsecurityalliance.org/research/ccm-lite which is mapped to many common security frameworks and has controls that any organisation can and should adopt and it comes with implementation guidance.

Look at a whether a Managed Detection & Response service fits within your risk profile and budget envelope so you have a chance to detect and eject attackers from your endpoints who don't work business hours and have day jobs to do like your IT team.

Look at what security features are available to you at low/no cost/big risk reduction benefit to implement in your systems. If you have EntraID (who doesn't due to M365?) you have the ability to implement phishing resistant MFA for example.

If you are operating in the hashtag#nonprofit sector and just not getting the love from the large cybersecurity consultancies and just don't have the budget to attract IT talent reach out for hashtag#itsecurity coaching that will help you get on the path to continuous improvement.