Business Owners!, What do need to do to be a Cyber leader for your business?

 Being a cyber leader does not require technical expertise, but rather an ability to change the culture of your organization. Reducing your organization’s cyber risks requires awareness of cybersecurity basics. As a leader, you need to drive your organization’s approach to cybersecurity as you would any other hazard (e.g. how you identify risk, reduce vulnerabilities, and plan for contingencies). This requires an investment of time and money, as well as the collective buy-in of your management team. Your investment drives actions and activities, and these build and sustain a culture of cybersecurity.

Approach cyber as a business risk. Ask yourself what type of impact would be catastrophic to your operations? What information if compromised or breached would cause damage to employees, customers, or business partners? What is your level of risk appetite and risk tolerance? Raising the level of awareness helps reinforce the culture of making informed decisions and understanding the level of risk to the organization.

Determine how much of your organization’s operations are dependent on IT. Consider how much your organization relies on information technology to conduct business and make it a part of your culture to plan for contingencies in the event of a cyber incident. Identify and prioritize your organization’s critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. Develop an understanding of how long it would take to restore normal operations. Resist the “it can’t happen here” pattern of thinking. Instead, focus cyber risk discussions on “what-if” scenarios and develop an incident response plan to prepare for various cyber events and scenarios.

Lead investment in basic cybersecurity. Invest in cybersecurity capabilities for your organization and staff. This includes not only investments in technological capabilities, but also a continuous investment in cybersecurity training and awareness capabilities for your organization’s personnel. Use the Cyber Essentials to have conversations with your staff, business partners, vendors, managed service providers, and others within your supply chain. Use risk assessments to identify and prioritize allocation of resources and cyber investment.

Build a network of trusted relationships for access to timely cyber threat information. Maintain  situational awareness of cybersecurity threats and explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, government agencies, law enforcement, associations, vendors, etc.

Lead development of cybersecurity policies. Business leaders and technical staff should collaborate on policy development and ensure policies are well understood by the organization. Perform a review of all current cybersecurity and risk policies to identify gaps or weaknesses by comparing them against recognized cyber risk management frameworks. Develop a policy roadmap, prioritizing policy creation and updates based on the risk to the organization as determined by business leaders and technical staff.

(Source: CISA)