This article will answer the following questions:
- What is a cybersecurity development plan?
- How far ahead should my cybersecurity development plan look?
- How do I prioritize requirements on the cybersecurity development plan?
- Should the requirements be compliance based or risk based?
- How do I colour-code my requirements list?
- What is the best way to make auditors happy?
- Who is responsible for the execution of the requirements on the cybersecurity development plan?
- What is the biggest challenge in meeting the requirements on the cybersecurity development plan?
- What are the major pitfalls when creating a cybersecurity development plan?
Cybersecurity development plan Part I: Create a Cybersecurity Development Plan
As soon as the cybersecurity manager has a firm understanding of the structure of the company and the current security liabilities, the next step is to create an effective cybersecurity development plan. This plan will provide a blueprint of actions to help them move forward in securing the company’s data. This planning stage is when the cybersecurity manager starts to map out what should be done in the next year to eighteen months.
The recommendations that go into the cybersecurity development plan are based on the real risks uncovered by talking to the stakeholders and leaders at the company. That may be a long list, so an important function of the cybersecurity development plan is to prioritise to-do items. For example, after talking to the stakeholders, the cybersecurity manager might learn that there are actually two glaring vulnerabilities that have to be rectified immediately based on business needs. Those would go at the top of the list.
In a good case, the requirements will be both compliance- and risk-based. Hence, they make total sense to the company management and also tackle compliance problems. It’s a win-win. A risk-based decision might be as simple as purchasing a burglar alarm system. Perhaps the company doesn’t have a burglar alarm system in place, yet they’re located in an area with a high risk of burglary. Even if buying an alarm system costs tens of thousands of dollars, it could be a smart decision to minimise risk.
Compliance-based items will probably revolve around regulations or standards. Perhaps the business is required to have a business continuity plan and incident response plan in place. For a smaller business, these types of plans usually don’t make much sense, so most small companies don’t have them. But if it is mandated by a regulation, the small business will have to spend money on creating those plans just to be in compliance, even though management may feel it’s unnecessary.
The challenging thing about compliance is that you have to cover every part of the standard set forth in the regulations, one item at a time, until you’re done. For most items that are not completed, the cybersecurity manager must mark them as to-dos and then find the most cost-effective way to accomplish them. That often creates another long list of things-to-do items for the cybersecurity manager.
In other circumstances, compliance items can be marked as not applicable. It’s a grave mistake to try to meet every single requirement as-is. The cybersecurity manager should investigate whether some requirements actually pose any significant risk or not. Under some compliance schemes, it’s quite possible to not implement requirements if there’s no accompanying risk whatsoever. This is one kind of an outscoping tactic that professionals use to reduce their scope of requirements.
Creating a cybersecurity development plan isn’t necessarily complicated, though. It could be as simple as making a list of prioritised and scheduled tasks in an Excel spreadsheet. To keep it simple, the cybersecurity manager can take a Payment Card Industry Data Security Standard (PCI DSS) or an ISO-27001 standard and copy and paste all of the headers into Excel. Then under each header, enter some subtitles for each of the requirements. That would be an easy way to get started.