Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity is a C-Level Activity

The information security field is a challenging place these days. With new and increasing threats every day, staying ahead of risks can feel like treading water. There’s always a new vulnerability to address, a patch to apply, security tools to research and defenses to update. But being defensive is not a sound security plan; it’s imperative to be strategic and get ahead of attackers.

Why you need a security policy

A good security policy is a written plan for implementing and enforcing information security best practices that your executive management team has bought into. Saying that you have a firewall to protect your networks is not good enough; a perceived plan is not a policy. Saying you follow the SANS Top 20 is admirable, but you need a customized plan for implementing those 20 guidelines in your organization as a daily practice. Sure, you can start with a template from SANS, PCI, or NIST, but each and every point must be scrutinized and tailored to your specific needs; a good security policy is not a checklist. The policy should become a way of life, a mindset that you bring to the job every day. The policy should be reviewed and updated regularly as the IT landscape changes and as attackers add new technologies to their arsenals. And it is imperative that your plan be presented and endorsed by C-level staff and the board.

A good security policy is a written plan for implementing and enforcing information security best practices that your executive management team has bought into

Why is it vital to have a security policy? Because without a policy, there is no security. And compliance with the policy is the only thing that will keep you secure. Deviations from the policy create risk, increasing the chance of an attack, a breach, or data theft.

Cybersecurity belongs in the boardroom

These days, a security policy cannot just live in the IT department. A good security policy presents a strategy that is also aligned with corporate goals and objectives, integrated with other enterprise policies. Information security affects the entire organization. A breach can steal your organization’s intellectual property, it can compromise your customers’ private data, it can expose your enterprise’s confidential data, and it can damage your company’s reputation. Your plan of action must be embraced by the entire organization to protect all those assets. With so much at stake, you should get your executive management to buy into your security plans. They must understand the risks and the consequences of not implementing a comprehensive security policy. Security is everyone’s business – it must be built into the corporate conscience.

Without a policy, there is no security

In short, cybersecurity must have a seat at the boardroom table. Your security policy and systems should get the same visibility as the financial and customer systems in your organization. If the board of directors is charged with providing oversight to every aspect of the business, then they must also understand, monitor and participate in cybersecurity protective measures. In a recent Forbes article, Why It’s Time For a Board-Level Cybersecurity Committee, Betsy Atkins makes the case for a cybersecurity committee in the boardroom and a security policy that is shared with the board:

It is crucial that the board require management to present their policies on cyber security. Request that management write up their security practices and standards, and their protocol for responding to a security breach.

This is timely advice. Every CEO, board chairman, and executive manager has a personal stake in cybersecurity. But when you think about it, CIOs and CFOs have several things in common when it comes to security:

They don't know what's on the network

The network is changing all the time and visibility is not at the C-level. It is the responsibility of infosec professionals to educate top executives.

They don't have a budget for everything

You may have a stellar security policy, but if it is not backed up in the corporate budget, you can’t implement it. You need to bring security requirements to the executive conference room, because security is just as important as your financial and customer systems.

They don't know exactly what their organizations should be doing for cybersecurity

Your security policy and systems should get the same visibility as the financial and customer systems in your organization

Should they follow their peers? Should they modify and adopt a standard such as SANS? Should they go beyond the baseline standards for a more robust (and more costly) security policy? These decisions can’t be made in reaction to a threat or attack; defenses must be put in place and enforced before a crisis occurs. That requires the full endorsement and budgetary backing of your executives and the board.

A security policy protects your data, but it also protects the entire enterprise, your customers, business assets, and your corporate reputation. Whatever tools you have, whatever technologies you use, you need a security policy that aligns them together for organizational security. And your policy must be endorsed by the board to be effective. It’s time to elevate cybersecurity to the C-level.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training