How to think about a long-term cybersecurity strategy?
For small businesses the end game is likely simply the continuous operation of the company to make its owners money, and to minimize disruption and cost to the business from cyber attacks. For a startup the end-game could be going public with an IPO, or working to sell the company to a larger one, or possibly a plan for both contingencies. And for a B2B technology company, there will likely be a calls from its customers for some form of 3rd party proof of the company's security program that will need to be available, such as an ISO Certification, SOC2 Type 2 audit or similar.
Today, most M&A activity involves a cybersecurity review. Having a poorly working security program will almost certainly lead to a lower offer price. These reviews are normally done by an external 3d party to the sale, and are thorough. Poor results in any of the areas that the acquiring company cares about means that they'll plan into the sales offer the effort needed to get those results up to where they're comfortable with them after the sale. If problems span many areas, you can expect a significant impact to their offer price, or for some potential acquiring firms to simply walk away.
Going public has a different set of issues. Recently the SEC has new rules requiring disclosure of data breaches (SEC Form 8-K). The SEC also requires disclosure, in a company's annual report of a company's cybersecurity risk management, strategy, governance, and any material security incidents. These reporting requirements are widely seen as requiring public companies to have a CISO in the e-suite. Additional non-security requirements include Sarbanes-Oxley compliance (accounting rules). FCPA may also come into the picture. Public disclosure of a poorly functioning, or poorly run cybersecurity program can have post-IPO effects that include regulators coming knocking on your door (not something you normally need to worry as much about if you sell the business).
If your company plans on supplying products or services to the US Government, you may need to meet requirements called out in recent Presidential Executive Orders (May 12, 2021 - Executive Order on Improving the Nations Cybersecurity). This order could require you to implement a Zero Trust Architecture in your internet-facing products.Once you have an idea of what you're going to need, and some idea of when you'll need them, you can start to plan out the work. Even if you're not a B2B provider, you may want to look at some of the cybersecurity audit regimes. Nearly all of these are based on the idea of risk management, and some level of 'industry standard' security controls. If you're a federal contractor, you may want to look especially closely at NIST Cybersecurity Framework. Each of these standards has a different focus, and different numbers of required controls to meet their programs objectives. After picking one you may wish to discuss what implementing an auditable security program looks like for that particular spec. For example, for ISO 27001, there are a number of processes that run more or less continuously, and some that only need to happen once a year. All of those need planning, and attention from the impacted stakeholders to build out processes and measurements that fit your company's circumstances. Other security controls are put in place and are fairly static, only changing when they really need to.
Let's suppose that you've realized early on that you need a good security culture, a bunch of security processes, and ways to measure both. Your business is not a B2B, so you probably won't need to adhere to any formal audit-structure (beyond your own making). How long does it take to get some of this in place? Well, the answer is, unfortunately "it depends". It depends on how much senior management is able to focus and lead the effort. This is where having a fully engaged Security Sponsor makes a HUGE difference. With a sponsor, who keeps reminding staff in your scheduled all-hands, and perhaps various group weekly meetings, of the company's goals, current status, and work still to be done - it might go fairly easily. Without a sponsor, and with just an individual contributor buried down in the bowls of your already large-ish engineering team of 35 people - that honest answer may be "forever". What gets measured, gets paid attention to in corporate America, and what gets measured by the CEO *really* is more likely to get sustained attention. So the speed with with your company implements security 'controls' really is highly dependent on the degree of engagement from executive staff. This continues to be the case once processes are fully defined and starting to work. Once the execs take their eye off the ball, stuff tends to fall by the weigh-side. And things that the staff often don't understand well, and which is sometimes viewed as unnecessary burden by the engineering staff will be the first to fall. It's just human nature - and much of my job has been trying to fight against human nature. Many things seem more immediately important than dealing with security: new functionality, prototyping, updating the build machines, etc.
By Craig Payne