While preparing the Western Allied forces for the invasion of Normandy and northwest Europe in WWII, Dwight Eisenhower famously stated, “Plans are nothing. Planning is everything.”
Einsenhower’s point was that the plan in of itself is just a static document.
However, the planning process is meant to be interactive, collaborative, and constantly evolve.
It never ends.
This applies to both national security planning as well as cyber-security planning.
For example, consider the process of performing a security audit.
The process is fluid and involves an evaluation of the entire infrastructure.
Business processes are reviewed and refined.
Data is scrutinized to ensure that any confidential information remains protected from external and internal threats.
Ultimately, the plan that results from this process is a static document.
It is a snapshot of the steps that can be taken today to improve security.
However, the plan itself is of little value if it is not implemented, scrutinized, and fine-tuned to anticipate future developments.
Recognizing Security Threats
Recently the Office of Personnel Management (OPM) was breached by hackers.
This hack exposed very sensitive information on approximately 21.5 million people.
Every person given a government background check in the last 15 years was likely affected.
That information included social security numbers, addresses, employment history, education, and even fingerprints.
This hack resulted in the resignation of the Director of OPM.
It was revealed that there were plenty of warnings prior to the attack.
The Assistant Inspector General for Audits testified that the agency had a “long history of systemic failures to properly manage its IT infrastructure.”
Audits had been performed and recommendations were made to improve the system’s security.
There were security recommendations that dated as far back as 2007 that had been ignored.
When we talk about our government’s cyber security, we are also discussing our national security.
Building a Business Case for IT Infrastructure
The security plan will go nowhere if it isn’t executed properly. This sounds like common sense.
However, with shrinking budgets and the demand for a fast return on investment (ROI), security initiatives are often cut.
Security is one of those areas that only becomes a priority after a data breach has occurred. And in most cases, that is too late.
Regulations have been introduced to encourage organizations to take security seriously.
HIPAA, PCI, SOX, and others are created with data protection in mind. Organizations face fines and penalties if they are out of compliance.
The costs to an organization goes beyond just the fines.
Gaining support for improved cyber-security is crucial.
Just like national security budgets, cyber security budgets get approved based on the perceived risks by decision makers.
The time to invest in security is before an attack occurs.
Ongoing Diligence To Defend Your Infrastructure
The plan itself is really based on a snapshot of your business.
Infrastructure and business processes are constantly changing.
And new security threats are emerging every day.
Just like on the battlefield, it is important to adapt your plans based on the opponents and conditions.
Best practice calls for risk assessments on an annual basis at a minimum.
Identify the specific threats that your organization faces along with the impacts that an attack might have on your business.
This will help you keep the risks top of mind when it is time for budget approval.
To keep the offices of the CFO and CEO up to date on current security efforts, it also helps to report meaningful metrics to them.
This can include the security events that you have faced. Those are the irregularities that your security team identified and the follow-up that was taken to remediate them.
Data security is generally the responsibility of the IT department. However, we know that getting budget approval for any IT initiative can be tricky until the decision-makers have bought in.
A lot of the same principles that go into budget approval for a storage project also apply to gaining approval for your cyber security action plan.
To help you with the process, we have put together the guide, Learn How to Pitch Your Next Storage Project to Your CFO.