Three Ways (Not) to Manage and Report on Your Cybersecurity Program
This April 1st don't get fooled into all the hype of the fancy security solutions. Instead, it's time to talk about the real deal of manual work. To start this conversation, here are Three Ways (Not) to Manage and Report on Your Cybersecurity Program.
Spreadsheets
Everyone loves a satisfying Excel file so it makes sense that people look forward to working on it, but don’t trust anyone. Report and analyze everything yourself to be sure that the data is accurate. To add extra assurance, always double AND triple-check your work.
Manual Spreadsheets are amazing and creating them is a great way to spend your day. They are also very versatile. You can have multiple spreadsheets and, of course, tons of metrics. So many that you will always have a few sheets open on your computer/ desk. Or you could have just a few really long ones if that's more your style.
?🤔?
Questionnaires for third parties promote communication and information sharing. As we all know, risk can often be substantially reduced through questionnaires. The arduousness of the due diligence is a sign that it is working well. Ask every question that you can think of. Nothing is irrelevant.
Questions like “Do you ensure that only authorized users are allowed to access wireless devices?” and “Do you have an encryption mechanism for securing data in transit or in storage within your environment?” will get to the honest and thorough truths. They will provide you with the whole picture without putting in too much effort.
Powerful Pointers
Using templates although quick (sort of?) is a possible, yet not-ideal process. We recommend starting with a blank page and no plan; except to make it look technical and long. Use loads of bullet points and create each graph from scratch. Maybe you can even make the graphs through Excel—that way your presentation creation process can truly be the epitome of smooth efficiency.
Don’t worry too much about explaining why breaches occurred or how cybersecurity impacts the organization’s reputation and finances. The board is not interested in those aspects. All they really want to know are the minor and technically obscure details. Make sure you don't mention anything too high-level.
Keep Everyone Guessing
It's key to an organization’s cybersecurity to keep all teams siloed. Don't let them communicate. They can't share information because it may lead them to discover things, work together, and create a culture of cybersecurity awareness.
Experts will tell you to employ zero-trust. This is truly a great idea if you interpret it as we do: have no trust. Trust zero people. Don't let the teams join forces because you never know what will happen. They could provoke a cyber-attack or get so distracted that the whole organization gets hacked.
Summary
To conclude these practices are careful, wise, and happy April Fool’s Day! We at Onyxia hope you have an amazing start to April and that we didn't scare you too much. We are the greatest CISO supporters 🙌 so we would never actually suggest these practices, but we wanted to celebrate the day. Let us know in the comments if you have any additional ‘tips’ or ‘takes’ that you want to share.