Cybersecurity Month: How to Ensure a Good Security Posture

Each October, the world turns its attention to our profession for #CybersecurityAwarenessMonth. This Cybersecurity Month, ISC2 Insights is focusing on all aspects of the profession and asked our volunteers to answer a few questions. First up: What is the #1 thing organizations should be doing to ensure they keep a good security posture Responses revealed common themes around leadership, education and shared responsibility.

Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Cybersecurity Support from Management

Leadership support was a recurring theme amongst ISC2 members and candidates. Cybersecurity professionals want commitment from corporate leaders, both in action and budgetary support, to defend organizations against cyber threats. Andreas Panayi, CISSP, said top management should make room at the table “for CISOs or other cybersecurity-accountable colleagues” for input and strategy.

“Even prestigious companies can fall short in security if leadership doesn't invest in it,” said Ser Dyk Aldeza, CISSP. This means investing in modern security solutions, skilled cybersecurity staff, and continuous training, he added. “Unfortunately, in some organizations, leadership is too focused on profit and fails to recognize cybersecurity is a business enabler, not just a cost center.”

“The cybersecurity skills gap,” said Schlaine Hutchins, CISSP, CCSP, HCISPP, CC, “is often a result of leadership failing to understand how to hire for the right skills or support the growth of their teams. Misaligned expectations and underinvestment in people and core processes have contributed to the challenges we face in the industry today.

Cybersecurity is a Shared Responsibility

The human factor should not be ignored. ISC2 members believe it’s important to invest in people and imbue them with a sense of shared responsibility regarding cybersecurity.

“People are often called the weakest link, yet they’re also the most valuable asset we aim to protect,” said Joe Hawley, CISSP. “We need advocates across both security and business roles who champion collaboration. Each person must establish their own security baseline, from managing personal accounts to practicing strong data protection.”

Bruno Chéry, CISSP, CCSP, put it simply: “Continue investing in people!” People are critical to developing, growing, and ensuring business resiliency. “Great tools and a fine-tailored business process are essential building blocks, but it is sales, tech, support, engineers, and service heads that will have the expertise, guts and intuition as to how to deliver the best services for your customers.”

Cybersecurity Awareness Training for All

Investing in a culture of cybersecurity requires educating everyone from top leaders to rank-and-file employees, said Jennifer Blacker, CISSP. “Living and breathing how security works will protect your business.” Regardless of company size, “the most important thing you can do for your business, your clients, and your team is education.” Blacker recommends using monthly newsletters, weekly articles and quarterly training sessions to keep security top of mind.

Troy Goodman, CISSP, CGRC, agreed awareness training is key. “Keep it short, simple or fun, to maximize information retention.”

Attention to the Cybersecurity Basics

Addressing cybersecurity basics, such as patching, asset management, access controls, and regular monitoring, is key to building a strong posture. “Many organizations jump to complex tools before establishing a solid foundation,” said Schlaine Hutchins, CISSP, CCSP, HCISPP, CC.

Nelson Hernandez, ISC2 Candidate, noted the importance of keeping systems current. “Too often, systems fall behind on updates, leaving them open to known exploits. By staying proactive with patches and regularly scanning for vulnerabilities, organizations close many of the gaps that attackers commonly use to gain entry.”

“Make sure you have a complete asset inventory,” Samuel M Tilling, CISSP, SSCP, CC. “In my experience, nearly all incidents come from something simple being overlooked – a forgotten server, an unpatched endpoint, a legacy system which nobody realized was still accessible.”

Follow along with us this Cybersecurity Month on LinkedIn as we showcase ISC2 member-driven articles from experience to guidance. If you are a small business or non-profit interested in support to drive a culture of cybersecurity, consider scheduling a free Cybersecurity Health, where you’ll receive a checklist to help you mitigate your cyber risk, available from ISC2’s charitable arm, the Center for Cyber Safety & Education and ISC2 volunteers.

ISC2 Webinar New to the security industry? Or thinking about transitioning into an information security role? If so, this webinar is for you. Please join us for a virtual webinar, Security Industry 101: What Every Newcomer Needs to Know on October 24 at 1:00 p.m. ET.  The session will cover what you need to know about the cybersecurity field including: Size and growth of the security industry Useful vocabulary terms and buzz words Five types of cyberthreat actors Modern cyberthreats and tactics Categories of security defenses Common security job roles Security industry ecosystem

Related Insights

• Professionals Share Knowledge and Education During Cybersecurity Awareness Month
• Building a Strong Culture of Security Express Courses
• ISC2 Launches Trio of Express Courses to Strengthen Security Culture Through Strategic SETA Program Development