To gain a better understanding of an organisation’s cyber security risk and progress in managing it, a ‘triple check’ may be regularly performed of what is happening:
Strategically: What does the director think is happening versus what they would like to happen?
On the ground: What are employees actually doing versus what the director thinks they’re doing?
In progress on plans: Is what the director wants to happen on track to be achieved?
There are some important nuances to these understandings. Firstly, we can see the director needs to be strategic about the risks they’re willing to bear and be able to communicate these.
Secondly, employees (including directors!) often don’t only use their work-owned devices over corporate networks, they also use their own devices and in other networks such as at home and on-the-road.
Finally, assuming the director or business owner has articulated what the organisation’s expectations are from a security standpoint, they need to be able to assess that something is being done to achieve those expectations.
Now, here, we’re only talking about one organisation…..
The same three key issues, however, also apply to other organisations that are storing, accessing and/or sending and receiving your information. These organisations may include suppliers, customers, partners, and professional services providers, cloud providers and so on.
This is what is termed your ecosystem.
The complexity of your ecosystem risk can be managed by mapping it out and breaking down actions piece by piece based on importance.
First up your CyberMap may well look more like a vulnerability map. However, the ultimate goal is that this will map your protections. It’s difficult to protect your data until you know where it is – at rest and in transit. And, so, the CyberMap is at the very heart of your cyber security action plan.