"Value, Revenue and Credibility are at stake. Don't let cyber security become the agenda -- put it on the agenda."
Ian Lobban, Director, UK Government Communications Headquarters (GCHQ)
There are so many guides, guidelines, documents available to help the security professional get a sense of what needs to be done and why. The US National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS) certainly produce some excellent documents. I've also even cited our friends over in Europe at ENISA - the European Network and Information Security Agency -- and some of their guidelines as excellent resources.
This past week I came across a document from the UK GCHQ called Executive Companion -- 10 Steps to Cyber Security. It is a 20-page guide intended to get the CEO/CFO/Board Members' attention and to get a summary sense of the cyber security challenges organizations face every day. As I've quoted from Mr. Lobban's introduction above, the best advice to today's Board of Directors and CEO's -- in addition to the CIO's and CISO's -- is to get cyber security awareness on the agenda at all levels of the company including employees, vendors, consultants, shareholders, stakeholders, and other "holders."
Of course with a title like "10 Steps..." you are probably interested in the digest of the 10 actions to be taken. Page 7 of the Executive Companion includes the graphic below that gives you a sense of the business steps the organization's leadership should take to "...review...invest where necessary...and to improve security..."
Overall, I like the graphic designed by GCHQ but I do want to add one more consideration for all companies and organizations. Basically you need to assume you will have a data breach and you will have an attacker inside your network -- don't assume otherwise. As such, heed the above 10 items with the expectations that you will need to defend your data, your intellectual property, etc. sometime in the near future.
(To read more about the "Assumption of Breach" concept please see my article in Asian Power at this link.)
Take a moment to review the Guide and I'm sure you will find it useful to pass along to the CEO and Board.
Cheers!
