“Cat: Where are you going?
Alice: Which was should I go
Cat: That depends on where you are going.
Alice: I don’t know.
Cat; Then it doesn’t matter which was you go.”
– Lewis Carroll, Alice in Wonderland
Too many cyber-security strategies today resemble the situation above. There may be massive effort and lots of movement, but without a solid plan to guide the organization, what appears to be a architected defense in depth capability can be a poorly planned and porous, allowing attackers easy access to the organization’s deepest secrets.
A critical tool to help mitigate this problems is a cyber-assessment that is performed on a regular basis to give everyone involved a good picture of what is working well, what needs improvement, and capabilities that are missing. Once the cyber-assessment been completed through analysis and auditing of current plans, recommendations can be generated along with a strong risk assessment of the organization’s cyber health. These logical next steps can be factored into ongoing efforts.
Utilizing outside resources can bring an independent view into the process, and enable the injection of industry best practices from outside the organization. The independent firm should not become a rubber stamp, and several organizations I’ve discussed this with have set a process to utilize a different firm each time to avoid any repetition or turf defending behavior from the outside.
Assessments can be a valuable tool in the array of efforts that need to be thought through for a thorough, well-articulated cyber- defense plan. These assessments should be tiered in terms of level of detail, and presented independently to different groups in the company, along with a combined review once everyone understands the critical elements.