visit
1. Risk-based Approach
CISO’s should carry out a cyber security risk assessment for their enterprise. It is important to note that with the budget allocated for cyber security, it is not possible, neither is it advisable, to try and solve all the threats faced by the enterprise. An enterprise needs to analyse the critical business risks – for e.g., which threats could lead to downtime, damage to reputation, lost business, monetary losses, or confidential data breach. Use tools such as likelihood vs. impact matrix to quantify the threats, which can help gain an understanding of areas where the enterprise needs to be prepared to address any unforeseen, sudden threats immediately, and hence, budget accordingly.Read Also: Risk Assessment vs Vulnerability Assessment
2.Industry and Size Analysis
While cyber-attackers do not distinguish amongst enterprises based on the industry and/or size, there are specific types of risks that commonly affect a particular industry and particular sized business.
For e.g., with the nature of an eCommerce business where transactions are completely online, they are highly vulnerable to DDoS attacks or credit card fraud. Healthcare providers, hospitals, medical centers are mostly targeted for stealing of private and confidential consumers’ data. Similarly, specific threats exist for banking and financial organisations. In addition to the risk assessment highlighted in the point above, CISO’s need to consider potential penalties and fines that an enterprise would be liable to pay should there be a breach within their systems.3. Readiness of The Enterprise
Every enterprise needs to delve into their existing controls of cyber security and how good they are at defending its systems and data. This is a measure of the readiness of the enterprise to manage potential threats and attacks. If it is not at an acceptable level, the enterprise needs to budget for and invest more in cyber security controls. Paul Proctor, former Chief of Research for Risk and Security at Gartner, explains about the importance of readiness .4. Cyber Security Operations and Activities
An enterprise should plan and budget for the operations and activities they need to undertake as part of its cyber security strategy. Penetration testing, preferably by an external services provider, should be one of the critical activities, as it provides a neutral assessment of the readiness and threat environment. Penetration testing of the various components of the enterprise’s IT landscape should be carried out periodically, for e.g., every quarter, or every six months. The enterprise should also consider the model with which it operates its cyber security operations – whether it’s managed internally or outsourced to an external services provider. In addition, it should include activities like security training and awareness for staff, security tools and upgrades, policies, and procedures, etc.Previously published at