Cyber Essentials #1 – Who’s responsible?

Home / News / Cyber Essentials #1 – Who’s responsible?

Many managers – especially those who combine obligations to ensure both – working IT infrastructure and it’s security – wonder how to choose the appropriate point of reference. Cybersecurity, which in their case is only part of their duties, but for which they take full responsibility in the event of an incident – for many is a burden. To provide you with fundamental guidance, we will refer to Cyber ​​Essentials from CISA (Cybersecurity & Infrastracutre Security Agency US), which has published a guide to develop a working understanding of where to start implementing IT security practices in your organization. It is worth adding that, according to the NIST Cybersecurity Framework, widely used by advisory and audit organizations, Cyber ​​Essentials are the starting point for cyber-threat preparedness. And at worst, to prove your preparation to an auditor…


Who is responsible for cybersecurity – IT? Compliance? Information Security Department?
When an audit takes place, it will be too late to determine it, and the blame will remain where someone takes it on themselves. Define who is responsible and for what area – after all, information does not only lie in digital resources. Those resources will help you:

  • NACD Director’s Handbook on Cyber-Risk Oversight – built around five basic principles that refer to the responsibility borne by the company’s authorities – but also managers and directors.
  • CISA Security Advisory – Questions Every Director Should Ask About Cyber ​​Threats: Illustrates the amount of knowledge you need to be better prepared and resilient to IT threats.

If your job is to drive your cybersecurity strategy, investment and culture – consider the following:
  • To what extent your organisation’s operations depend on IT
    – what is mostly paper and what is digital
    – and on which side are the critical points of rotation for a given type of information?
    – what about digital resources and processes should be prioritized
    – how to secure the identified priorities
  • Approach cybersecurity as a business risk – what assets are at risk and how much will it cost to damage them? Numbers speak to business.

These are assumptions, it is worth translating them into two issues – information security policies and technologies. One must support the other, without it you will not be successful. Without the right technologies, you will not be safe – but the tool is as effective as the skills and strategy of using it.

Here are some things to consider: 
  1. Cybersecurity is not only about investment in technological opportunities, but also about continuous investment in training in cybersecurity. Determine which is more important – security processes or technologies?

  1. If you have a firewall, data loss prevention or endpoint detection & response, but your employees do not know what to do in the event of an incident (or even do not know what to qualify as an incident) – focus on implementing policies and making your organization aware of the importance of digital infrastructure security.

  1. If you have a range of policies but no enforcement tools – the natural choice is to invest in technology. Our activity involves implementations in this area – we will not describe, just write!

    Regardless of the two above, remember that the main security boundary is end-user awareness – help them understand how they can support their IT security department with training and discussion rather than being an “IT police”.

    • Invest time in understanding cybersecurity policies. Business leaders and technical staff should work together to develop policy and ensure that the rules are well understood by the organization.

    • Review all current cybersecurity and risk policies to identify gaps or weaknesses by comparing them to an established cybersecurity risk management framework.

    • Develop a policy roadmap by prioritizing risk-based policy development and updating it as determined by business leaders and technical staff.

    Good practices at this stage can be found in:

    1. NIST Computer Security Resource Center 
    2. SANS Information Security Policy Templates 

    3. Build a network of trusted relationships to gain access to up-to-date information on cyber threats – cybersecurity professionals must have up-to-date knowledge. Domestic CSiRT, NASK or international resources or threat intelligence technologies will help maintain situational awareness of IT security threats. You are most threatened by current campaigns in your country / region – you don’t have time to focus on everything. It is also worth considering the ARAKIS-GOV program implemented under the Polish CSIRT.

      Some proven resources also include:

      1. VirusTotal 
      1. OWASP TOP 10 
      1. SANS: Internet Storm Center 
      1. Department of Homeland Security (DHS): CISA Automated Indicator Sharing 

      Knowing, above all, the scope of responsibility for IT risk – yours and other leaders in your organization – you can map how the above resources are used in your organization. Only the awareness of the organizational “as-is” will allow you to notice insufficiently protected areas – information, communication channels, equipment – and convince the management board to invest in IT security technologies. When it comes to mapping technology to existing infrastructure, the gold source in the industry is invariably the NIST Cyber ​​Security Framework.However, this is only the first area that focuses primarily on understanding responsibility and scope – to build both internal processes and cooperation with other departments.

    Powiązane posty

    Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.