Is there such as thing as “just enough” cybersecurity? This is a question businesses have to ask themselves. Most organizations know that they need cyber security, but they don’t know how much security they need, they don’t know what to secure, or how to do it.
Businesses must adapt to ever-changing government and industry regulations. The fact that many employees are working from home now has also changed the attack surface. Hackers quickly adapt to changes and may change their approach when it comes to attacks. Businesses also must change how they protect their data.
Consider the concept of “reasonable security.” Trying to define what is “reasonable” security can be a challenge. Rick Lazio, former Congressman and RGCybersecurity & alliantgroup SVP and Mike Davis, RGCybersecurity & alliantgroup CISO, wrote about taking the approach of first defining what a lack of reasonable security would be. Their suggestion is to use the Center for Internet Security, Inc. (CIS) Critical Security Controls (CSC) list of 20 controls to map out a definition of reasonable cybersecurity.
The benefit of the CIS CSC is that it is a recognized and respected source to map your security environment and quantify risks. It is also a recognized methodology and approach to demonstrate and provide a reasonable and defensible security posture. Using the CSC will help you decide which framework best suits your needs. Lazio and Davis recommend using either the National Institute of Standards and Technology (NIST) Risk Management Framework or NIST’s Cyber Security Framework.
Now that you have read through the various cyber security controls and frameworks, are you ready to address the gaps that are keeping you from achieving reasonable security? Remember that you do not have to manage the entire process on your own. Contact the cybersecurity experts at Quick Intelligence to help you determine what reasonable security looks like for your organization.